Security Statistics and Operating System Conventional Wisdom 556
kev0153 writes "Microsoft Windows is more secure than you think, and Mac OS X is worse than you ever imagined. That is according to statistics published for the first time this week by Danish security firm Secunia. "Secunia is now displaying security statistics that will open many eyes, and for some it might be very disturbing news," said Secunia chief executive Niels Henrik Rasmussen. "The myth that Mac OS X is secure, for example, has been exposed." "
Until LM authentication is gone... (Score:5, Insightful)
no of vulnerablilities vs actual exploits (Score:5, Insightful)
Just because the potential is there doesn't mean these holes have exploits running in the wild.
It's a risk thing...Windows exploits are *more* likely to be exploited than Solaris ones, but that doesn't mean the Solaris ones won't be exploited (cf a couple of super computer centers getting hacked!)
Patches do not equal problems. (Score:4, Insightful)
When the difference in use of exploits is an order of magnitude or two higher for the 'doze stuff, it's hard to see how a mere "count of vulerabilities fixed" means much at all. The basic design differences between unix and 'doze are profound, which is why the 'doze exploits do so well.
Article is an irrelevance (Score:5, Insightful)
If a sysadmin is lazy and security unaware, he will ALWAYS be cracked into and exploited regardless of the OS system used, Windows Linux whatever. At the same time if he is vigulant and security aware he will unlikely to be seriously cracked and his systems will be stable, again regardless of the OS involved.
What I have found is that managing Linux properly is a lot easier and cheaper than managing the Windows OS's properly due to the better OS design in philosophy and security, and attitude of the OS maintainers.
THAT to me is what is relevant.
Don't dismiss this (Score:3, Insightful)
Linux is fallaible, but at least with open source we can find bugs and get rid of them quick, without waiting for patches. Windows is not as bad as OS X in this regard either.
I find the statement Linux suppliers took longer to release patches. Is that true? I know security consious admins will patch themselves but is it true that vendors will igorne minoe bugs?
Perhaps this is what the MS reps meant when they said Linux was becoming morew like windows.
Again Windows only vs. RedHat/SuSE plus apps? (Score:5, Insightful)
Re:Before we all jump on the AdTI bandwagon... (Score:5, Insightful)
This article is so beyond common sense and everyday experience, I cannot see how it can possibly hold up to examination.
Junk Science (Score:5, Insightful)
This research tells you nothing about how secure an OS is. The number of security advisories has a lot to do with how diligent the OS manufacturer is in informing the public about security problems. For all we know Apple could just be a lot better about airing its dirty laundry than microsoft. I would assume that due to the open source model, the statistcs on SUSE were fairly accurate.
They neglect to mention.. (Score:5, Insightful)
Somebody explain to me... (Score:5, Insightful)
``Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.
<snip>
SuSE Linux Enterprise Server (SLES) 8 had 48 advisories in the same period, with 58% of the holes exploitable remotely and 37% enabling system access.
<snip>
Mac OS X does not stand out as particularly more secure than the competition, according to Secunia.
Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.''
So, Windows XP and SLES had about the same number of vulnerabilities, but SLES manages to keep them out of the vital parts better. Mac OS X has had significantly (about 30%) fewer vulnerabilities, with the percentage of vulnerabilities leading to system level access on par with SLES.
What this says to me is that _if_ the detection ratio for all systems is the same (which I don't believe, but without this assumption, you can't say anything), WinXP is the worst, and OS X the most secure. This is exactly opposite to what is claimed.
Re:Missing Stats? (Score:1, Insightful)
You can't compare to the OSS project directly. You have to compare to the distro. How long does it take for patched fixed code to be available by an emerge or apt-get? I know the OSS community is pretty good too.
Frankly though, typing emerge -u samba (if say, it was a samba bug) takes about 6 months to complete on some of my less capable machines.
I'm called a troll, and will be modded down again. But the plain truth is there is no perfect OS out there. Windows isn't perfect, linux isn't perfect, BSD isn't perfect, BeOS isn't perfect, OSX isn't perfect, Solaris isn't perfect.. Etc, etc.
I tire of all the idiocy around OS's bandied about on slashdot. For a "news for nerds" site, people here sure don't know what the fuck they're talking about. It blows my mind how little they know about computers or the industry at times.
Oh well.
All modern OS's suck from a security standpoint. Why? Because we've only really GIVEN A FUCK about security for the last half a decade or so. Before that 99% of the worlds PCs were by themselves on a desk, or on some small 10mbit lan with a couple others.
When a virus hit, it'd spread like wildfire across the sneakernet.
Noone worried about remote exploits, because there was no "remote", for the most part. Now, in the age of the internet, it's a big deal. But everyone's still learning. Hell, the internet began with completely insecure protocols (http, ftp, smtp, telnet). Our security was basically mutual trust and good faith.
Anyways, the end.
Re:How respectable are these guys? (Score:5, Insightful)
I admonish the following:
Security databases are largely fed with information from people working on open source code. It is much easier to find a logic fault in source code than to notice a bug and reverse engineer its origin in proprietary code. When I mangle entries for security databases the majority are for open source code. By and large the security databases are weighted in such a fashion that makes open source code look less secure.
When I last looked at my Windows Update history on my machine at work, there were no fewer than 10 security patches and, going to the MS website, each one patched several security holes in this/that/the other. None of these will ever be documented in databases like Secunia because MS doesn't release the technical information. Secunia only lists the exploits which users in the field have found and submitted.
So relax, people. The article may be inflammatory and perhaps the head of Secunia should be shoulder-checked for 3 hours straight on the soccer field, but the Linux OS is still outperforming the competition.
Potential study problem (Score:5, Insightful)
If The Gimp has a security issue a Linux vendor will issue an alert for it.
If Photoshop has a security issue, MS won't inform you.
Also most alerts I see for Linux are pro-active, someone finding a bug that may be exploitable. Most alerts I see for MS are reactive, pluging a hole that has been exploited. That's the primary difference between open and closed source software. Not the number of bugs found, but when they're found and how fast they get fixed.
Re:Mac OSX and Linux - face the facts (Score:5, Insightful)
I once read that Hitler ordered a report made, signed by a hundred scientists, proving that Einstein was wrong. When they asked Einstein about it, he answered "if I was wrong, one scientist alone would be able to prove it".
Its not the system, its the admin (Score:4, Insightful)
That said, most 'windows admins' are home users ( by percentage ) that have NO clue what they are doing...
Home *nix admins tend to have more clue..
Re:Missing Stats? (Score:5, Insightful)
Windows XP Professional saw 46 advisories in 2003-2004, with 48% of vulnerabilities allowing remote attacks and 46% enabling system access, Secunia said.
So that would mean, multiplying 46 by 48% would give you the number of remote attacks, and multiplying 46 by 46% would give you the number of attacks enabling system access. So for Windows:
Don't ask me why they are not integers. I suppose that some advisorys covered more than one bug?
Now, for OS X:Of the 36 advisories issued in 2003-2004, 61% could be exploited across the internet and 32% enabled attackers to take over the system.
Using the same system as before, I got:
So they're saying OS X allows HALF of the number of attacks that can gain access to a system as XP, but their conclusion is that "The myth that Mac OS X is secure, for example, has been exposed"???Hmmm....
Re:Before we all jump on the AdTI bandwagon... (Score:3, Insightful)
Just counting (Score:3, Insightful)
Correlation vs Mechanism (Score:5, Insightful)
Re:what does it prove? (Score:4, Insightful)
How can you not find arbitrary remote code execution from a web browser [incutio.com] highly critical? It meant that if a bad guy hacked a website popular with Mac users, they could take control of many machines potentially without their users noticing - just like the problems Windows has.
Security reporting worse than you ever imagined (Score:5, Insightful)
Different suppliers report vulnerabilities differently. Consider every "cumulative update" you've seen, and every "multiple vulnerabilities in $product" advisory from CERT. A supplier which is more honest and meticulous about vulnerability reporting may have more advisories but better security -- while one which batches up several bugs in a single advisory will underreport.
A system which includes more software may have more advisories, even though most advisories do not affect most computers running that system. In Windows, a database server is a separate product whose advisories would not be counted against "Windows". Many Linux systems include at least two database servers, but they are not turned on by default. If a hole in MS SQL doesn't count against Windows, should one in mySQL count against Red Hat?
Unpatched vulnerabilities may go for months without the release of an official advisory. For instance, a number of holes in Internet Explorer have been known and discussed within the security community well in advance of any official advisory from Microsoft.
Systems which have better default system-wide security settings (e.g. packet filtering, services turned off by default) may have all kinds of "vulnerabilities" that can't actually be exploited. For instance, Mac OS X includes OpenSSH, but it's turned off until the user asks for it. A hole in OpenSSH cannot be exploited on a default-install Mac system.
Leaving it up to the supplier to decide if something is a "vulnerability" or a "feature" leads to underreporting. Take CD autorun, for instance, which allows the installation of spyware when a (mostly-)audio CD is inserted into a Windows PC. A security-conscious user regards this as a vulnerability, but the supplier regards it as a beneficial feature.
Some of the most common attacks -- such as viruses -- rely on social engineering, and on "features" that are not classed as "vulnerabilities". However, these attacks are also more prominent on some systems than on others. Any comparative assessment of security which discounts the most common attacks blinds itself to a wide segment of the security landscape.
Re:Until LM authentication is gone... (Score:3, Insightful)
Please elaborate.
- Oisin
Comment removed (Score:3, Insightful)
Re:Until LM authentication is gone... (Score:3, Insightful)
What's wrong with having insecure features that are disabled by default? Many people operate in secure environments where such features (which they need for interoperability reasons) offer a "good enough" degree of security. There's no point in making these people's life harder.
Lies, Damn Lies, and Statistics (Score:2, Insightful)
In my experience Microsoft only lists security vulnerabilities for their own products. With the methods used in these statistics vulnerabilities and the open source community are probably overcounted many many times over.
Secunia is probably just trying to get attention.
Re:Straight from the horse's mouth (Score:4, Insightful)
Secunia Virus Statistics"
Uh, no there not. Viruses in many cases stem from exploits in the underlying operating system. If there are exploits in the OS and it is worthwhile virus writers will start programming/scripting viruses for Mac. The fact that they continue to hold such a low market share makes it really unnecessary for a virus writer to target them, when they can infect 100000 times the amount of machines on a Windows OS. Exploits can lead to viruses and are easily just as problematic as without the exploit there would be no virus. Furthermore, Apple has been incredibly slow at releasing updates and fixes in the past. Unlike what all the Apple marketers want you to believe their OS is easily vulnerable just like all others. MS may be the worst but that is yet to be proven as they hold such a dominant position in the market that there is virtually no effort to produce viruses for the other platforms. Security takes effort and knowledge no matter what platform you are on.
Re:Until LM authentication is gone... (Score:3, Insightful)
Can't draw conclusions from this (Score:3, Insightful)
Firstly, this article is a summary of some other set of statistics. These summaries are usually horrible since the writers really don't understand statistics. Things never add up to 100%, and one quote often refers to a slightly different way of calculating things than another.
I don't know tons about security, so I read this with an open mind. But I KNOW some things are wrong:
I haven't read Forrester's research, so I would like to see it. (anybody know a link?) OSS is definitely faster at releasing patches. We see that time and time again. Perhaps they were comparing how long it took for the vendors like Red Hat to ship product updates for Apache, or put them on their web sites? But if I installed Apache, I don't look to Suse or Red Hat or Mandrake for my updates, I look to apt-get or apache.org. Of course, MS claims that all exploits come from MS patches [slashdot.org] anyway. (Which is proven not to be true on a weekly basis).
Lastly, the article rebuff's itself in the final quote:
Even though that is the basis for the article's comparisons. lol!Re:Until LM authentication is gone... (Score:5, Insightful)
So you're saying Linux is secure? Good. You see, it's been a few years since telnetd was installed in a base Linux install. I'd say that qualifies as "totally removed".
Troll (Score:2, Insightful)
Re:Before we all jump on the AdTI bandwagon... (Score:3, Insightful)
I have no knowledge of WHERE they are getting their funding. But they don't seem to have any criteria by which someone besides themselves can judge the security of a system. Saying "Mac security is worse than anyone imagined" is nugatory without saying how bad you think someone had imagined it as being...unless you give some other indication of how bad you think it is. Perhaps they did, and I just didn't understand them. I must admit that I didn't bother to read the article very carefully after the first few wild accusations without immediate proof. Instead I skimmed it looking for proof, which I didn't find.
So perhaps they're just trying to drum up business, but they don't appear to be a group that should be trusted. (But *do* be aware that this may just be the marketer or "journalist" who put this article together.)
Re:Missing Stats? (Score:5, Insightful)
I believe they mean that
1) Windows is not as insecure as YOU THINK
2) Mac OS X is not as secure as YOU THINK (they assume Mac OS X users think that the operating system has 0 to few exploits)
They're not really saying that Windows is more secure than Mac OS X. But the way the said it -- well, sure could mislead a lot of people.
A ripped text from the wonderful "appleturns" (Score:5, Insightful)
Anyway, it's like this: faithful viewer C. J. Corbett tipped us off to a Techworld article last week with the ominous title of "Mac OS X security myth exposed" which leads off with this oh-so-fair-and-balanced sentence: "Windows is more secure than you think, and Mac OS X is worse than you ever imagined." See, security firm Secunia claims to have compiled some honest-to-goodness statistics proving once and for all that choosing Mac OS X over Windows is your surest path to having some scary 'net dude invade your system, swipe your financial data, and start leering at digital photos of your family members in an... unsavory manner.
How is this possible? Well, numbers don't lie, and while Windows XP Professional clocked "46 advisories in 2003-2004, with 48 percent of vulnerabilities allowing remote attacks and 46 percent enabling system access," Mac OS X racked up 36 such advisories, with 61 percent remotely exploitable and 32 percent allowing the takeover of the system. See? Worse than you ever imagined. It's like a wedge of Swiss cheese with a shotgun blast through the middle or something. Meanwhile, Windows users will no doubt be thrilled to hear that their virus-ridden, spyware-loaded, worm-propagating systems are more secure than they think. Good for them.
There are just a few problems with this argument, however. The first is the claim that Mac OS X isn't much better than Windows XP Professional because it had 36 security advisories compared to Windows's 46. Maybe we're fresh off the turnip truck or something, but 22% fewer advisories sounds quite a bit better to us. Also, if you actually look at the data to which Techworld refers, it's not 36 advisories for Mac OS X at all; it's 33. (Apparently Techworld decided to go back to 2002 to fetch its reported number.) Granted, the Windows number is also 45 instead of 46-- yeesh, Techworld; fact-check much?-- but even so, now we're talking about nearly 27% fewer security advisories for Mac OS X than for Windows XP Professional.
Now take a look at the advisories themselves, and notice how no fewer than eleven of those 33 advisories (that's a third, for the mathematically inept) are titled "Mac OS X Security Update Fixes Multiple Vulnerabilities" or something similar. Yes, in its advisory count, Secunia is including those advisories it generated just to report that Apple had fixed something. Does anyone else find it a little odd that Secunia penalizes Apple for fixing problems, including ones that were fixed so quickly that Secunia had never found out about them in the first place? (While they may describe a flaw and immediately note the presence of a patch, none of the Windows advisories appears to exist simply to announce that Redmond had fixed a bunch of holes.)
Notice also that Secunia yaps on about how, for Mac OS X, "of the 36 advisories issued in 2003-2004, 61 percent could be exploited across the Internet and 32 percent enabled attackers to take over the system"-- but never mentions how many could be exploited across the Internet to enable attackers to take over the system. Personally, we aren't much concerned about exploits that require local access to a Mac, because if any
That depends upon how you count it. (Score:5, Insightful)
Which, in many cases, was when Microsoft had a patch ready.
But www.eeye.com had reported security holes to Microsoft for MONTHS before a patch was made available.
In other words, if Microsoft NEVER admitted PUBLICLY to a security hole, that security hole would NEVER be counted in the Forrester report.
http://www.eeye.com/html/research/upcoming/inde
For the current listing.
With Open Source software, the vulnerability is usually discussed on the mailing list.
So, if a hole is discovered in Linux, and discussed on the mailing list and a patch is released 48 hours later.....
And then Red Hat releases a
Forrester would count that as a 3 day delay.
You take the medium threat from www.eeye.com that is 49 days overdue (actually informed 109 days ago) and Microsoft releases a patch the same day Microsoft admits to the hole....
Forrester would count that a 1 day or less delay.
Re:Junk Science (Score:5, Insightful)
Not spinning it. Just saying that there's no data here. My statement "For all we know Apple could just be a lot better about airing its dirty laundry than microsoft." was merely to demonstrate how these results could be used to prove anything, and therefore have no value.
The biggest security hole on any machine is the person administrating it. No OS is immune to a moron.
I agree completely.
Let's translate those statistics to medicine (Score:3, Insightful)
Patient A's clinical history:
Headache
Influenza
A small scar in his hace
A broken arm
Patient B:
Stomach cancer
Which of the two patients is in a worse state? According to Secunia, patient A would be really bad, he has three lines in his medical record!!!!
Amazing, indeed
X is remotely exploitable (Score:2, Insightful)
How many of these "over the network" holes can be done by somebody without an account? If the number of those in both OS X and Linux combined, covering the range of software that comes with Windows, is more than two or three then that would be a newsworth story. What this story is really saying is that even though you can't do squat remotely in Windows there's still a huge number of remote exploits.
Comment removed (Score:4, Insightful)
But isn't that contradictory? (Score:4, Insightful)
A "respectable security source" that knowingly mis-counts vulnerabilities and then publishes an inflammatory "report" based upon such?
That sounds like the opposite of "respectable" to me.
# Advisories != # Vulnerabilities != Security Risk (Score:5, Insightful)
There are two major things wrong with this article, which have been touched on by other posters. One is that the number of vulnerabilities is different than the number of advisories, because advisories [secunia.com] can cover multiple vulnerabilities [secunia.com].
The second is that (as other posters have covered) Linux distributors post advisories and bug fixes for all software bundled with their distribution, not just the kernel and core libraries. Looking at the list of MS Windows XP [secunia.com] advisories, all I see are the core components, with the glaring omission of Internet Explorer [secunia.com] (which these days is in fact a core component of the operating system).
The Real Measure (Score:2, Insightful)
The problem with Windows is exploits in IE and Outlook/Outlook Express.
Re:LM Hash Info (Score:1, Insightful)
The last broken tip was to download L0phtCrack. Almost all the tips are merely pointers to external programs that are widely known and freely available. Furthermore, none of the hosts on the broken create any of the programs and they simply regurgitate widely available information.
There tips are similar to the following :
Broken : Need to crack a password
Viewer is thinking : Ok
Broken : Download this to do it for you.
They give no insight or explanation of the fundamental reasons how it works or why it works I don't see this creating nothing but more script kiddies.
Re:And whom funded this 'article' (Score:3, Insightful)
By whom is this atrocity commonly accepted? Who in their right minds could have authorized such a thing? I have a compulsion to severely bludgeon those who committed such a heinous atrocity.
It's actually useful knowing the difference because, initially, I was going to write "...to severely bludgeon whomever I find out committed..." In thinking about the function of "whomever", though, I found that it was really the subject of "committed" and not an object of the prepositional phrase "to...bludgeon", and the "I find out" was grammatically incorrect and extraneous.
Methodology is flawed... (Score:3, Insightful)
Re:Missing Stats? (Score:5, Insightful)
For example, if you want to allow the user to release and renew their DHCP lease (which is an essential troubleshooting step for any problems involving IP address problems in a dynamic address environment) you have to give the user the right to load device drivers. Which can be boosted to system level access.
Since access is associated only with the user... there's no setuid mechanism that allows a program to be run by the user but with elevated privileges... any code run by the user has that right, and thus any remote or local exploit really has to be treated as a root exploit.
On any UNIX based system, the same operation can be controlled by the setuid mechanism, which isn't perfect but *does* allow more separation of privilege than exists in Windows. And Mac OS X makes extensive use of it... every time you enter your password to allow access to a system function you're using setuid.
So those stats are really:
XP: 22 remote access attacks, 43 system access attacks.
OSX: 22 remote access attacks, 12 system access attacks.
Also, OS X ships with all remote access turned off by default, including remote file system and shell. You have to explicitly enable it. XP ships open to the world, you have to close it, and there's things you *can't* close without setting up a firewall.
So the statistics look more like this:
XP: 22 remote access attacks, some open by default, all leading to system access.
OSX: 22 remote access attacks, none open by default, no remote system access attacks open by default.
Here's the statistic that I'm concerned about:
There has been one significant browser-based hole on OS X. In the same time there have been multiple exploited holes in IE, including almost the same hole that was found in Safari, and after almost 10 years of similar browser-based holes being found on a regular basis with Microsoft making no attempt whatsoever to fix the underlying design flaw that makes them inevitable.
Hopefully Apple will respond better than Microsoft.
Ok all you technicality asshats (Score:4, Insightful)
In THEORY, you are correct that it is all about exploits and there are possibly exploitable holes just as much in Linux or Mac. Difference? In the real world, they are exploited much less on the latter two. Also, critical issues are fixed MUCH faster in the latter two leading to a less vulnerable system.
MOREOVER, these assclowns count a vulnerability in every piece of free software as a Linux vulnerability and only count core vulnerabilities in Microsoft. Similarly for Mac probably. So yes, exploits are what matters, but in the REAL WORLD there are more exploits for Windows and more boxes constantly being exploited, so your point is moot.
Re:Here are the numbers. (Score:4, Insightful)
See Lies, Damned Lies, and Statistics [appleturns.com]
The conclusion:(quote)
Faithful viewer jfletch pointed out another Techworld article from almost two months ago that also quoted Secunia and claimed that Mac OS X's security problem at the time "makes Microsoft's current Sasser problems look no more than a nasty nip." (Of course, two months later Sasser still turns up in articles on Google News posted just hours ago, but who's counting?) Now, far be it from us to claim that there's some sort of Techworld-Secunia conspiracy intended to undermine Apple's attempt to gain an entry into the enterprise market, because we would never-- oh, who are we kidding? There's some sort of Techworld-Secunia conspiracy intended to undermine Apple's attempt to gain an entry into the enterprise market. We've been jawing about this incessantly for about four days straight, now, so determining motive is left as an exercise for the viewer. Follow the money!
Re:Missing Stats? (Score:3, Insightful)
Didn't Microsoft swear under oath that it was not a separate application, but was instead an integral part of the OS?
Re:Ok all you technicality asshats (Score:1, Insightful)
In the real world you would also realize that if everyone started using Mac, as you seem to preach, and it has lots of exploits that viruses would soon ensue as it would make it worth it for coders to target Macs. Security through obscurity is not a good tactic, even for someone lacking any knowledge of the subject such as yourself should be aware of that.
"Also, critical issues are fixed MUCH faster in the latter two leading to a less vulnerable system."
Wrong, where are you getting your information from. Let me guess Apple.com. Apple is by far the slowest in patching vulnerabilities there are still plenty of Mac OS X exploits that are in the wild and highly known (including those known by Apple) and Apple has not even addressed them yet. Apple is known by most to be incredibly slow at fixes for the Operating System. Before you call people asshats you may want to learn something about computer security as the parent poster is correct and you are a clueless troll.
Telnet? You're missing the point (Score:5, Insightful)
Bad example. There's a telnet service in Windows too.
When was the last time telnet was exploitable? telnet is sniffable. Big deal, so is imap, pop3, smtp, http, you name it. Sniffing should not count against an OS - its a problem with the protocol, which is inherint to all internet based OSes. Heck, lets just say anything that uses TCP/IP is too insecure for internet access.
Here's an example:
RHSA-2004:174-09
Fix: utempter local exploit.
Ok. A local exploit. Granted, an exploit, but still, its a local exploit. This is what these so called "secuity" groups need to realize - webservers on the DMZ typically don't have local access for joebob to login to. Typically, they have ports 80,443, and maybe 22 open. So now, all of those 60+ exploits attributed to Red Hat become 0 (thats Zero, with a 0). True, Red Hat had more published advisories than Windows did in the same time period, but Windows didn't ship with nearly the amount of software Red Hat did, and no "sysadmin" is going to put a box on the DMZ, running every service on the box, with no firewall. It just doesn't happen.
So all of these so called security groups can shove it, because thats not real world security. Why don't they do a study on how many linux/unix sys admins patch their boxes diligently vs how many windows admins bothered to patch their boxes with patches available months before code red and other internet problems plagued the internet?
PS: On Windows, it'd be port 3389 (remote desktop), not port 22... And BOTH services (ssh and rdp) have had remote exploits available, so you can't retort with the "ssh is insecure" BS.
Re:Welcome to Bizzaro World! (Score:3, Insightful)
Or perhaps, where they want a target for their MSIE developers to aim at?
Re:Missing Stats? (Score:3, Insightful)
Re:Telnet? You're missing the point (Score:3, Insightful)
I think you'll find it happens more often then you think. Administrating a *nix box doesn't make you a better admin any more then being a Windows admin means you know nothing. Unix has already had its trial by fire, the Internet worm knocked out something like 2/3's of what the internet was at the time. As bad as SQL Slammer, blaster and the like were, they haven't come close to what that one was able to do, their a nuisance not a plague.
I wish they hadn't taken it down, but the Honeyd project took a 'poll' of spam, and found something like 40% of what was hitting the honeypot was from Linux hosts. Security is in the configuration, and the configuration is done by the admin. There are good windows admins and bad ones, there are good *nix admins and there are ones that don't know their ass from their elbows.
Re:Straight from the horse's mouth (Score:4, Insightful)
All this rambling about OS X's lack of security is moot. Here is the only factor that matters:
A DEFAULT INSTALLATION OF THE CONSUMER-LEVEL VERSION OF MAC OS X (that ships with every mac) HAS ABSOLUTELY ZERO, ZILCH, NADA, NOTHING, NOT ONE NETWORK SERVICE ENABLED BY DEFAULT.
There's no way you can remotely own a default installation of Mac OS X.
Take a deep breath and re-run that sentence to yourself in your head.
Plug a default installation of XP (that ships with every PC) on any open network, you're owned within seconds. It's that simple.
Statistics are pointless when not scoped around what they really mean and their impact. So here's me doing everyone's job:
As a consumer-level operating system, Mac OS X, since day 1, and up until today, has always been, and remains FAR MORE SECURE than windows. Because the consumer-level version of Mac OS X, also known as "Mac OS X Client" does not unnecessarily enable by default any services, because the vast majority of users don't need'em, and the few who do can turn them on easily. Windows could have done that at least since 2001 and heydays of CodeRed and Nimda, yet never bothered to take this very very VERY simple measure. This is your first basic most simple, strongest line of security: if you don't need it, don't even turn it on. Be humble about the software you run, and understand that in may in fact be vulnerable, at the very least, to buffer overflows. APPLE HAS GROKKED THAT FROM DAY ONE, MICROSOFT NEVER DID, though i'm hoping SP2 will turn all that useless crap off. Saying that Apple has been lagging in releasing security updates is simply untrue. They've addressed all real ones very fast.
Now, as a server-level operating system, as far as security goes, it's all in the hands of a systems administrator. All services that run natively to the operating system are, in theory, at the very least, vulnerable to buffer overflows. And this goes regardless of which operating system you use. But frankly, if I was to admin a server, I'd still go with OS X, because I'd know that pretty-much all network services it runs come from the open-source community, if Apple is too slow to release a patch, I'll have known way ahead of time by keeping on-top of advisories and reading workarounds and solutions from the open-source community. If I'm running windoz 2003, I'm at the mercy of microsoft.
Re:Widoze is lazy and study is bogus. (Score:1, Insightful)
I'm posting this so that you (the moderator) have some context to consider twitter [hyperdictionary.com] and not mod him up whenever he posts his filler preformatted rants about installing Knoppix or Mepis or whatever that unfortunately get him karma every single time and allow him to continue posting his trademark toxic crap (read on) day in and day out. You may consider this a troll - I consider it community service. And I ain't kidding.
If you're a /. subscriber, I invite you to look through some of his posting history [slashdot.org]. I guarantee that you'll be hard pressed to find someone that is more "out there" than twitter. You'll also probably notice he's got quite an AC following. Don't just read his posts, make sure you go through the replies.
To get an idea of what I'm talking about, check this [slashdot.org] post out. This is an article about email disclaimers. The parent of the post is complaining about the ads in the linked page and so on, and twitter actually goes off on a rant to blame it on Microsoft and recommend Lynx, because "is teh free".
Here's another. In this post [slashdot.org] twitter not only calls the OP a troll but attempts to "tell it like it is" while making some vague argument about "GNU". Yes, if you're confused, you're not alone. The reply (modded +4) proceeds to simply destroy his bogus argument. You will notice he did not reply. This is what some people call "drive-by advocacy". A sort of I'll just leave you with my thoughts here and move on to the next flamebait kind of deal. In fact, he almost never replies because he knows that his fanatical arguments simply do not hold up to any sort of discussion. It's not that he's chosen the wrong cause - he's just going at it in a completely wrong way.
Here's that drive-by advocacy and FUD in motion: twitter goes on [slashdot.org] about some topic and then drops the usual "oh and M$ is teh evil" because "WMP phones home" or some such. Called on his FUD, he then claims [slashdot.org] that WMP stores every song and movie you've ever played in a file, somewhere. Pressed further, he just sort of slithers out of sight, his FUD-spreading complete. This is not about some Microsoft technology that nobody likes anyway; it's about lying for the sake of lying. Way too many of his posts are exactly like this one.
More? Just read though this [slashdot.org] post and the subsequent replies. I guess this stands on its own. Or these [slashdot.org] two [slashdot.org]. Or this one [slashdot.org]. Or this one [slashdot.org].
Still not convinced? This [slashdot.org] is what twitter considers "humour" while going about his daily "M$" routine.
M