Counting vulnerabilities
Mr. Jones found that five Vista vulnerabilities were disclosed in its first 90 days, exactly one of which was fixed by Microsoft. When he looked at Red Hat Enterprise Linux 4WS, the story was a little different: in the first 90 days of RHEL4, Red Hat fixed 181 vulnerabilities and left another 85 without patches. 129 of those vulnerabilities had been disclosed prior to the RHEL4 release. The result is a nice little bar chart showing that RHEL4 was two orders of magnitude worse than Windows Vista for security performance in the first 90 days. Scary stuff.
The numbers posted can be checked, and they are not far out of line. Red Hat published a table showing that a default install of RHEL4 WS suffered from 274 vulnerabilities in its first year of existence. That's a lot of security holes, even after accounting for the fact that a full 52 of them were in Ethereal (now Wireshark).
One could argue that the first 90 days is exactly the period of time one would want to look at if one's goal were to produce the most lopsided result. Before Vista's release, few people had the opportunity to look at it; there was not much outside probing for security holes going on. Vista was initially only available in its business edition, reducing both the scope of the system's functionality and the number of copies distributed. Every component of RHEL4, instead, had been publicly available for months before the system's release. There were no real surprises in RHEL4. The relatively long freeze time involved in the creation of an "enterprise" distribution makes the problem worse; while the world is busily finding (and fixing) security problems in free software, the packages for the upcoming RHEL release are just sitting there waiting to be decreed sufficiently stable. So of course there will be a big pile of RHEL vulnerabilities on the first day of release, and of course Vista will not have the same kind of pile.
Red Hat's response to this situation can be clearly seen on the RHEL4 security updates page. On the day of release, Red Hat put out 27 advisories, many of which fixed more than one vulnerability. For example, the postgreSQL update addresses five different CVE numbers, some of which were clearly worth fixing. First-day fixes also updated php, krb5, cups, KDE, thunderbird, Python, Perl, mailman, and more. Many of these were important fixes, though none of them were deemed "critical" by Red Hat; the first critical updates happened a few weeks later, when bugs in Firefox, HelixPlayer, and Mozilla were fixed.
One could well ask: why does Red Hat not fold these updates into the initial release? If they are good enough to issue on release day, they should be good enough to go directly into the distribution. There are certainly logistics issues here; mirrors would have to be updated and so on. But it's not like the old days when there were thousands of boxed sets to be manufactured. Red Hat could probably find a way to get the first-day updates into the distribution itself. The benefits, however, would be entirely in the area of public relations. The number of deployed RHEL4 systems in the first day (or the first 90 days) will be sufficiently close to zero that the amount of actual exposure caused by the existence of those vulnerabilities is negligible.
In his report, Mr. Jones goes to some trouble to try to filter out some packages which are not available on Windows as a way of heading off criticism that he is not comparing equal systems. But they are still not equal, of course, and never can be. Any default RHEL installation will certainly include Python, for example, and will suffer from Python's vulnerabilities, even if that installation never actually uses Python in a way which makes those vulnerabilities exploitable. Many RHEL4 systems will have installed the vulnerable versions of cvs, xloadimage, mysql, telnet, mailman, gaim, postfix, alsa-lib, vim, gpdf, enscript, Perl, etc.; these are all packages which are missing from a Vista install. The vulnerabilities in these packages are also not exploitable in much (probably a large majority) of RHEL deployments. How many companies deploy RHEL for the purpose of running HelixPlayer, busybox, or elinks?
Then, there's the silly ones. It might be embarrassing that the initial RHEL4 release included a bug with a 1999 CVE number. This vulnerability was in cpio, which neglected to create archive files with the user's umask taken into account. As a result, cpio archives created with the -O option have world read and write permissions granted. This is a bug worth fixing, but it would be amazing if anybody, anywhere, were to actually be affected by this bug. Even so, the cpio vulnerability counts in the total.
Perhaps more to the point, how many vulnerabilities like the cpio hole will ever be disclosed in Vista? No security researcher is likely to bother disclosing a bug like that. If that sort of problem is fixed at all, it will be a quiet part of some service pack update with no public announcement. By so aggressively going after and fixing this kind of security problem, we are causing the number of disclosed vulnerabilities to grow in a way that most proprietary software companies would try to avoid. Finding and fixing these problems remains the right thing to do, though, regardless of who is counting the resulting advisories.
It is also worth pointing out that some of the disclosed vulnerabilities are mitigated by Red Hat's use of exec-shield and SELinux. Red Hat still fixes the bug because it's the right thing to do, but, for some of these vulnerabilities, exploitation is difficult or impossible even without the fix.
The most important points, though, are these: (1) despite the
seemingly large number of vulnerabilities, the number of systems actually
compromised still seems to be quite low, and (2) this number of
vulnerabilities is still far too high, regardless of what any other
operating system is doing. It is encouraging that the number of remotely
exploitable vulnerabilities is small, but the fact that we are arguably not
getting any better at not putting security holes into our code in the first
place is discouraging. There is still much to be done in the areas of
careful coding, pre-release security auditing, and security-related
development tools. Regardless of what one thinks of the methodology of
this report, the security bugs that were counted are real; every one of
them is a reminder that we can be doing better.
| Index entries for this article | |
|---|---|
| Security | Bug reporting |
(Log in to post comments)
Counting vulnerabilities
Posted Jun 22, 2007 21:37 UTC (Fri) by smoogen (subscriber, #97) [Link]
Another big issue that seems to be lost is that outside researchers can not see the Vista code in large enough numbers to really evaluate the code. A lot of the same bugs could be there but may only be known internally or by the usual BlackMarket crack organization.
It would be interesting to make a Vista comparible OS. Just equivalent packages what MS ships in XP and Vista... and then have everything as 'extra-packs'
It would also be interesting to make a comparison of 180,360,720, and 1440 days.
Counting vulnerabilities
Posted Jun 22, 2007 22:30 UTC (Fri) by pr1268 (subscriber, #24648) [Link]
> It would also be interesting to make a comparison of 180,360,720, and 1440 days.
Or even easier, compare Windows XP to RHEL 4 in the above time frames.
Counting vulnerabilities
Posted Jun 25, 2007 11:55 UTC (Mon) by Randakar (guest, #27808) [Link]
Heh. That's not even the whole story; A few days ago I saw a site reporting that Microsoft is SILENTLY FIXING security vulnerabilities; As in, not reporting them at all - just fixing them without telling anyone.*
So any study based on "official vulnerabilities" falls down right there. If the vendor isn't even honest about it there is no way in hell the numbers will tell us anything about the actual security provided when you run their OS.
*) I don't remember where I saw it though - If somebody could post the link that'd be kind.
Counting vulnerabilities
Posted Jun 25, 2007 14:14 UTC (Mon) by nix (subscriber, #2304) [Link]
But everyone does that.
To be specific: everyone quietly fixes bugs which *might potentially* be considered security vulnerabilities, if just because they don't realise that they're vulnerabilities at the time they fix them.
You don't need to be nefarious to do that.
(Equally, known vulnerabilities in unreleased or released-as-development versions of free software are often fixed without formal vulnerability announcements, on the basis that anyone who was bitable by this bug is going to be upgrading often anyway, or why else would they be running a development release?)
Counting vulnerabilities
Posted Jun 28, 2007 16:45 UTC (Thu) by amikins (guest, #451) [Link]
I think the allegation here is more to the effect of patching installed versions without any notification that there is an issue or that the system is updating itself.I haven't seen anything to that effect, but then I avoid learning anything about Vista when I can.. It just infuriates me.
Counting vulnerabilities
Posted Jun 22, 2007 22:41 UTC (Fri) by dmarti (subscriber, #11625) [Link]
"a reminder that we can be doing better" for developers and distribution maintainers, and for everyone else a reminder that we should be aggressively weeding newly installed systems for unused software. Your package manager's remove command, "ls /etc/init.d", and "nmap localhost" are your friends.
Minimizing packages
Posted Jun 23, 2007 1:10 UTC (Sat) by jmorris42 (guest, #2203) [Link]
> reminder that we should be aggressively weeding newly installed systems for unused software.
Always sound advice, but becoming harder to do. The minimum RPM transaction to bootstrap RHEL4's packageset is 75. That gets you rpm installed and not much else. Drop in the next 84 package interdependent bundle and you will have vim-minimal available. There are literally hundreds of packages on a typical system that aren't really being used but can't be removed because some other little used package has a tenuous relationship with it.
Examples:
Servers with no sound capability that must have alsa-lib because gnome-libs and kdebase ultimately depend on it.
Well a RHEL4 server certainly doesn't need ogg support, right? If you stick to the recommended GNOME desktop it doesn't, but kdebase does depend on it.
Don't have a Palm(tm) device? Well you need to keep it installed if you use Evolution.
Or check this dependency trail. On a system running only GNOME, certainly there shouldn't be a need to keep Qt hanging around right? Wrong. Qt is needed by arts, with is needed by gstreamer-plugins -> gnome-applets -> gnome-media -> nautilus-media -> rhythmbox -> gnome-volume-manager -> gnome-session-manager. So remove Qt and by the time the cascade settles gnome is toast.
Minimizing packages
Posted Jun 23, 2007 3:02 UTC (Sat) by mattdm (subscriber, #18) [Link]
But why are you putting *any* desktop environment on your server?
Minimizing packages
Posted Jun 23, 2007 4:35 UTC (Sat) by chaneau (guest, #6674) [Link]
There are legitimate reasons to put a desktop environment on a server, here, for example, I'm in the process of replacing all the PC with thin clients.
Minimizing packages
Posted Jun 23, 2007 10:29 UTC (Sat) by mattdm (subscriber, #18) [Link]
Sure, but that's a special case, and in that case, it's no surprise that something in your installed stack of apps requires sound libraries.
Minimizing packages
Posted Jun 23, 2007 9:00 UTC (Sat) by pcampe (guest, #28223) [Link]
>But why are you putting *any* desktop environment on your server?
You need to install Oracle (I haven't done this in the last 2 years, so maybe I'm wrong, but for sure there are server programs that you could install/use/monitor only with a graphical interface, and for security, licenses, performance reasons you can't work from a remote workstation, eve if "remote" means "in the same LAN").
Minimizing packages
Posted Jun 23, 2007 18:36 UTC (Sat) by AJWM (guest, #15888) [Link]
> You need to install Oracle
Oracle is _horrible_ as far as that goes. One of our customers runs some Oracle reporting apps that _require_ X Windows to be running (and with xhost+ to the other servers that use the reporting app). Yeah, we can configure Xvfb to do the job, but it's a pain. All this so the Oracle app can do some font rasterizing or something.
Other "management" apps are just as bad, requiring a graphic or browser interface (hello, SANsurfer) to do anything useful. Try that when your server is in a private (10.x.x.x) LAN that requires a couple of intervening ssh servers to get to. Yes, it can be done by setting up the right ssh tunnelling, but it's a pain in the butt compared to command line (and scriptable!) access.
Even amongst the apps in a single distro that DO permit an alternate command line mode, it's inconsistent. up2date-nox vs printconf-tui, anyone?
Okay, rant off.
Minimizing packages
Posted Jun 25, 2007 14:38 UTC (Mon) by nix (subscriber, #2304) [Link]
It's not even font rasterizing. The thing's getting font metrics and that's all.
(Client-side fonts, guys?)
Minimizing packages
Posted Jun 23, 2007 12:26 UTC (Sat) by evgeny (subscriber, #774) [Link]
Solution: Gentoo (or like, source-based distros).
Minimizing packages
Posted Jun 27, 2007 20:43 UTC (Wed) by hazelsct (guest, #3659) [Link]
Uh, how does that provide any advantage at all? You can remove .rpms or .debs to minimize vulnerabilities as easily as source-based packages (arguably more easily).
Minimizing packages
Posted Jun 27, 2007 21:35 UTC (Wed) by ksmathers (guest, #2353) [Link]
Package dependencies arise from the configuration options selected on the machine where the developer built the system. Source based distributions do not have arbitrary dependencies. If you build an app without another library present, and if it can configure itself for the lack of library, then it does.
That can't happen effectively in a system of compiled packages, but it is only important if you are a minimalist, or if you tend to use packages from different sources (which might therefor have conflicting binary dependencies.)
Minimizing packages
Posted Jun 28, 2007 5:51 UTC (Thu) by evgeny (subscriber, #774) [Link]
> but it is only important if you are a minimalist,
I remember from Debian-3.0 days, when I wanted to install the php-odbc module on a server (no X stuff at all), it attempted to install Gtk+, Corba, etc, plus some of Gnome, only because the ODBC GUI setup utility was linked against all those libs. Call me minimalist...
Minimizing packages
Posted Jun 25, 2007 7:23 UTC (Mon) by flewellyn (subscriber, #5047) [Link]
I remember this nonsense from the days when I ran Red Hat Linux, back before Fedora and RHEL.I would try to install packages like KDE updates, and naturally they would require print
drivers...even though I had no printer. Or, when I wanted to use a GTK package, sometimes the
package in question would ask for GNOME...but I didn't USE GNOME at all! SuSE and other RPM-
based distros seem to have the same issue. I would have hoped they'd have it fixed by now.
DPKG-based distros seem better at allowing you to select "required" versus "recommended"
packages, but even there you have the issue of "Do I really need this, or is it just satisfying a
dependency for a feature I'll never use?"
Gentoo and other source-based distros, to me, seem to have the best solution: build only with
what you actually need, and disable features you don't need to use. Thus, excess packages get
pruned from the dependency tree and you end up with less clutter (and, not incidentally, fewer
possible vulnerabilities).
Minimizing packages
Posted Jun 25, 2007 22:03 UTC (Mon) by njs (subscriber, #40338) [Link]
>Gentoo and other source-based distros, to me, seem to have the best solution: build only with what you actually need, and disable features you don't need to use. Thus, excess packages get pruned from the dependency tree and you end up with less clutter (and, not incidentally, fewer possible vulnerabilities).
But the trade-off is that every box ends up running its own unique mix of code. Security-wise, this is good in that it increases diversity (so it's less likely someone will be able to pwn *all* Gentoo boxes), but reduces scrutiny on the actual code and interactions present on any particular box (so it's more likely that any particular Gentoo box *can* be pwned, which is probably what most sysadmins care about more).
Hard to know how much extra risk this is in practice, though; that'd make a lovely study, if anyone can figure out how to measure it.
Minimizing packages
Posted Jun 25, 2007 23:05 UTC (Mon) by flewellyn (subscriber, #5047) [Link]
But the trade-off is that every box ends up running its own unique mix of code. Security-wise, this is good in that it increases diversity (so it's less likely someone will be able to pwn *all* Gentoo boxes), but reduces scrutiny on the actual code and interactions present on any particular box (so it's more likely that any particular Gentoo box *can* be pwned, which is probably what most sysadmins care about more).
Actually, Gentoo does support binary packages, stored on a repository server that can be used to update the other machines in the cluster. I know of several clusters that do exactly this: one machine builds the updates, and then serves the binaries to the other machines. Obviously this really only works if you have a cluster of identical machines, but that's not unusual in a decent-sized server farm. Or a cluster of workstations.
Minimizing packages
Posted Jun 26, 2007 4:01 UTC (Tue) by njs (subscriber, #40338) [Link]
I know, but that's not very relevant to what I'm talking about. The issue I'm pointing out is that your particular set of programs each compiled with your particular quirky set of USE flags might have some novel security bug that no-one else noticed. Code that lots of people use tends to be well tested and highly scrutinized; weird and rarely used #ifdef'ed code tends to be just the opposite. This thread is advocating using more of the latter sort of code, and thus might actually increase security exposure. Running that same rarely used code across 10 boxes instead of 1 won't affect how much scrutiny it gets, you need lots of people in lots of different situations to get that.
It's hard to know whether this extra risk is important or just theoretical, though, hence my curiosity about quantifying it...
Minimizing packages
Posted Jun 26, 2007 8:21 UTC (Tue) by flewellyn (subscriber, #5047) [Link]
I can see how that might theoretically be a problem, but in all honesty, the set of USE flags for aparticular package doesn't have that much crazy variation.
In general, the USE flags tend to correspond to features that can be added or removed via
arguments to ./configure, so the number of variants for any particular package is no larger using
Gentoo than it would be using source-compiled packages that you did the ./configure; make;
make install dance on yourself.
Setting weird compiler optimization flags in the global make.conf, now, there I can see a source
of issues. Of course, so could the Gentoo developers, which is why the docs say not to do that.
Minimizing packages
Posted Jun 28, 2007 16:21 UTC (Thu) by jzbiciak (guest, #5246) [Link]
The point is that distro binaries very, very, very seldomly get rebuilt by the distro's users for most other distros. So, if one RHEL4 box is vulnerable in package XYZ due to how package XYZ was configured for RHEL4, then pretty much all RHEL4 users that have that package installed will have that vulnerability on their system.
In contrast, if the same package is available on Gentoo, and it's only vulnerable if you configure XYZ to make use of some other package PDQ, then only Gentoo users who have configured XYZ to use PDQ will be vulnerable. The same goes if you build a bunch of packages from source on any other distro, but only for those packages.
That's the distinction that's being drawn.
The flipside is that there might be some unforseen interaction between packages that a particular Gentoo configuration might expose and that other configurations won't. Since any given configuration will get less scrutiny, there's a higher chance of a given Gentoo box being vulnerable *on the basis of scrutiny alone*. The reality is that that's mostly theoretical, and in general removing features tends to (but does not always) remove vulnerabilities.
Minimizing packages
Posted Jun 27, 2007 7:47 UTC (Wed) by HenrikH (subscriber, #31152) [Link]
You are correct in that USE flags would yield a possibility that one runs programs with unknown holes in them, but then the attacker must also be aware of these unknown holes and also know that you compiled your packages with that very specific USE flags.
Not that it gives a warm and fuzzy feeling, but it would still be some uphill for a potential attacker. And more importantly is that thanks to the wide spread of USE flags a lot of previously unknown bugs will be reported (and hopefully fixed) due to the great variety of the users.
Minimizing packages
Posted Jun 28, 2007 11:29 UTC (Thu) by aglet (guest, #1334) [Link]
Given that dependency definition and management is one of (maybe the most!) important task in preparing a Linux distribution, I have to say I'm disappointed in RedHat. Trying to work out *why* things are installed on the system is always a pain, and the mix of "file", "library" and "package" dependencies makes it worse. It took me a while to figure out what was bloating it out, and how to keep it small, in the end I ended up with this in a kickstart file:%packages --resolvedeps --nobase @ core openssh-server up2date # ... extra packages go here...Including my app support bits & bobs, I wound up with about 180 RPMs or so -- this seems to be about the minimum to have a box that is actually useful.
I found rpmgraph helpful in visualising where things were coming from (I used poster to print the diagram out)
Perhaps it's better with yum (I'm still on RHEL 4), but I also loathe up2date with a passion. RHN is also annoying -- why no interface that I can use from the command line? I hate having to visit a web page to manipulate the subscriptions, I'm seriously considering wrapping it with Mechanize, then exposing it as a RESTful interface...
Everything installs
Posted Jun 23, 2007 1:16 UTC (Sat) by arjan (subscriber, #36785) [Link]
This is why distros like Fedora want to get rid of the "everything" install options... if people are installing mostly only the pieces they need (at least in broader groups), the exposure of the user becomes a lot lower. From a distro pov, it reduces the risk of a hole in some of the more obscure apps to affect a large numbers of users.
well one of the reasons at least (the otherone probably is "what does everything mean in the merged Fedora case")
Everything installs
Posted Jun 23, 2007 23:41 UTC (Sat) by ronaldcole (guest, #1462) [Link]
You need "everything" installs when you're building and distributing the RPMs of a package that "configure"s itself differently depending on what packages are installed (when the alternative is to be forever satisfying the whims of the "BuildRequires:" gods; who apparently have a rather ravenous appetite for "obscure apps").
Everything installs
Posted Jun 24, 2007 12:40 UTC (Sun) by mattdm (subscriber, #18) [Link]
That's kind of a big hammer for a little problem.
You can either do a quick awk command to feed those buildreqs to xargs yum install, or if you do this a lot, you could install mock to automatically ensure it's done right every time.
Microsoft better at patching XP than Vista (security.itworld.com)
Posted Jun 23, 2007 8:44 UTC (Sat) by HalloBaum (subscriber, #14304) [Link]
http://security.itworld.com/4347/070622vistapatching/page...
Counting vulnerabilities
Posted Jun 28, 2007 1:40 UTC (Thu) by jimparis (guest, #38647) [Link]
Wait a sec. You said there were 52 vulnerabilities in Wireshark. Wireshark can also be installed on Windows. That means Windows had at least 57 vulnerabilities, not 5. Or did they not count it just because it wasn't installed by default? Well, installed or not, the vulnerabilities couldn't have been triggered unless you actually RAN Wireshark.
If you want a fair comparison, you'll have to perform the same tasks on both systems. In most cases, that will involve either:
(1) Not running some of the software on the Linux machine. Even if it's installed, if the program is never executed (and can't be started by an attacker), it doesn't matter from a security point of view.
(2) Or, you need to install the same or equivalent set of software on the Windows machine -- in which case you've just introduced more vulnerabilities.
Counting vulnerabilities
Posted Jun 29, 2007 20:25 UTC (Fri) by giraffedata (guest, #1954) [Link]
The study compares products, so Wireshark on Windows doesn't count because it's not part of the Windows Vista product.
The article says the study doesn't count bugs in "packages" that are on RHEL but not Vista, which I assume means capabilities. And it doesn't say that the Wireshark bugs were counted against RHEL. (Though I could imagine they were if Vista comes with a similar tracing facility).
I believe a much more interesting figure would be number of bugs that were exploited during the period. That would discount bugs in unused code and bugs with no realistic way to exploit. It would be more applicable to the question, "should I do this job with Windows or with Linux"?
Counting vulnerabilities
Posted Jul 1, 2007 14:21 UTC (Sun) by jengelh (subscriber, #33263) [Link]
Perhaps Jeff Jones should try a different distribution (in fact, more than one!). Otherwise I'd easily accuse him of specifically taking one of the more
Why not built-in vulnerability checking???
Posted Jul 5, 2007 11:45 UTC (Thu) by jabby (guest, #2648) [Link]
A huge step forward would be for major project hosting sites (like SourceForge) to include vulnerability scanning. A quick search at freshmeat.net turns up a few FOSS source checkers that could be deployed against the code stored in these repositories (sparse, Audit-Perl). [And there's always the potential for these services to collaborate with the commercial scanning companies (Coverity) and/or DHS.]
The first objection will be that this will show all of those vulnerabilities to every black hat in the world. I shouldn't have to point out that this is something that they could have done themselves with a script. But, to appease this fear, the security scan results could be kept behind password access for project members/owners only.
Beyond that, the hosting service would just need to encourage its use. If scans were not done automatically after every update to the code (conceivably a burden on the hosting service), then there should at least be some sort of effort to force the code maintainers to scan their code before each release. If they elect *not* to scan, then a red flag could be inserted somewhere in the downloads page to notify potential users that this code has not be checked with the hosting service's vulnerability scanning tool.
It's not a perfect solution, but I'd consider it a way to avoid a raft of vulnerabilities now and into the future in one fell swoop.
Jason
Counting vulnerabilities
Posted Oct 3, 2007 13:48 UTC (Wed) by John_Emerald (guest, #48012) [Link]
First, remember that what was counted was "security patches".It is completely irrelevant to count the number of "security patches" for many different reasons, as already mentionned. To name a few : Security breach are not all took to public attention, the count of known security vulnerabilities has almost nothing to do with the count of existing vulnerabilities (which in any case would be a lot more numerous), open source has more eyes to bring more "known vulnerabilities", etc.
So at the objective point of view this analysis is totaly meaningless to help compare the two systems and can't prove anything as acknowledged even on Mr. Jones's blog. Jones said the point was to explore "common misperceptions".
The error is that "security patches" has been translated to "vulnerabilities"... Instead of "known vulnerabilities", should it need to be translated. If you do the correction, you can see that this could completely invert the meaning of the statistics and of a great part of the text, at a "common misperceptions" level of course. We could for example say that some companies were more concerned about security and released more patches.
Objective deductible facts #1) So lets recapitulate and put things strait :
This analysis is either on one side meaningless or on the other totally wrong, misleading and the opposite of reality.
Objective deductible facts #2) Lots of these articles are based on this translation "error". So either we have a security director who doesn't understand a bit of what he is talking about, or we have a marketing campaign disguised as personal blogs (plus, comments are moderated so the truth cannot be revealed to the public).
The two cases are showing objectively that Miscrosoft is a bad choice regarding security. The first case would mean their security director cannot understand security analysis basics. In fact it would show that he is not able to run or understand any analysis at all. The second case would mean that they are disguising their actions and lying to give misperceptions to the public (their consumers), which would mean we cannot trust them as a company. Honestly, can anyone see another possibility ?
I tried to mention the translation "error" in the comments on one of the Miscrosoft employees blog, but of course the comment has been "moderated".
Each time we don't address the simple and basic problem/error/lie directly and argue at their level, we are helping them to push and hide the real problem/error/lie further into the dark and intoxicate the public with wrong beliefs.
So... Please be cautious, don't help them on their campaign if you don't mean to and / or aren't paid to do it.
I'm asking everyone who reads this : Please, if you comment on these articles start by uncovering this basic and critical error, don't give them too much credits.