What about Apache 2.0 vs. IIS 6? Since March 2003, Apache has had 25 announced vulnerabilities; IIS 6 has had two or three. Does that mean IIS 6 is more secure? I don't know, but most of the difference in vulnerability levels probably comes from the fact that Apache is running on 79 percent of the Internet Web sites in the world versus IIS' 19 percent market share. If the difference isn't from the popularity, it has to be because Apache is weaker. Which is it?

Want a good database program without frequent security problems? Maybe Microsoft SQL is the answer. Do you remember the date of the last Microsoft SQL exploit? MySQL and Oracle are fairly worse these days, not better.

Can anyone do security better than Microsoft? I'm not sure. Mac OS X is gaining its fair share of patches on a regular basis. I may complain about Microsoft's patch Tuesday, but trying to keep my Linux and FreeBSD systems patched is becoming even more painful.

Free software proponents often say that open source code review guarantees that open source code will be more secure. Baloney! I love to read code, too, but how many of us have the time to review tens of thousands of lines of code? Plus, the really good people are already working 80 hours a week on projects for their bosses.

What about the open source review initiative that started last year -- and folded because of the lack of participation? What about one of the Linux kernel maintainers saying he thinks one of the biggest threats to Linux is the lack of good review?