Study Recommends Mac OS X as Safest OS 370
rocketjam writes "The British security firm mi2g has concluded a comprehensive 12-month study to identify the safest 24/7 computing environment. In the end, the open source BSD and Mac OS X came out on top with the fewest security breaches against permanently connected machines worldwide in homes, small businesses, large enterprises and governments. The study found Linux to be the most breached environment 'in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded'. Windows was the most breached environment in government computing and led Linux, BSD and Mac OS X by far in economic damage caused by breaches." We mentioned their previous study too. As before, the study ignores the thousands of automatically-spreading viruses for Windows.
Before people go nuts... (Score:5, Informative)
The study also reveals that Linux has become the most breached 24/7 online computing environment in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded, with 154,846 successfully compromised Linux 24/7 online computers of all flavours.
This is likely because of the great number of Linux servers, and the wide variety of network services and ports open to the world on such servers.
And it does, in fact, make distinct reference to Windows malware (self-propagating worms, viruses, etc.):
Malware proliferation
The recent global malware epidemics have primarily targeted the Windows computing environment and have not caused any significant economic damage to environments running Open Source including Linux, BSD and Mac OS X. When taking the economic damage from malware into account over the last twelve months, including the impact of MyDoom, NetSky, SoBig, Klez and Sasser, Windows has become the most breached computing environment in the world accounting for most of the productivity losses associated with malware - virus, worm and trojan - proliferation. This is directly the result of very insignificant quantities of highly damaging mass-spreading malware being written for other computing environments like Linux, BSD and Mac OS X.
Also interesting:
For the record, neither mi2g Ltd nor the mi2g Intelligence Unit have a business relationship with Apple Computers and we do not own any shares in that corporation. Previously, the mi2g data for one month was considered to be too small a sample and not representative of the global environment within which different types of entities - micro, small, medium and large - exist. We have addressed those concerns in the new study. The critics were against the previous study which also came out in favour of Apple and BSD, because the entrenched supporters of Linux and Windows felt that mi2g was guilty of 'computing blasphemy'. In subsequent months, mi2g's reputation was damaged on search engines and bulletin boards. We would urge caution when reading negative commentary against mi2g, which may have been clandestinely funded, aided or abetted by a vendor or a special interest group.
There are a wide variety of reasons to expect that Mac OS X is a significantly more secure computing platform than Windows in a non-server/desktop setting; this study only further confirms that.
Re:Why isn't BSD in the title? (Score:2, Informative)
Re:Why isn't BSD in the title? (Score:5, Informative)
Re:Previous Slashdot article contradicts this one? (Score:3, Informative)
(disclaimer blah blah I own a mac blah blah)
Re:Sure, but... (Score:5, Informative)
I think mac users are a very bimodal group. There are lots of pros, comfortable with various OS's. However, there are tons of totally clueless folks.
I cleaned up a lot of macs in the pre-OSX days when a handful of annoyances like macro-viruses were common.
Re:Isn't it the least used? (Score:2, Informative)
Yes, one of the first things taught in many network security classes is that security through obscurity is not reliable. The implication here is that Mac OS X is more secure because of the security measures in the OS, not because no one has bothered to look for or exploit flaws.
You have been trolled by Mi2G (Score:5, Informative)
Mi2G are about as expert in computer security as your local nursery school, they are basically a fraud outfit that decieve companies by using FUD in order to transfer cash from company accounts to the chairmans pocket, and slashdot linked them up
and you wonder why no one subscribes and blocks slashdots adverts
in the security scene they are worthless [attrition.org]
Register article [theregister.co.uk]
Re:Isn't it the least used? (Score:3, Informative)
It's "Mac", not "MAC". (Score:2, Informative)
Please don't use the term "MAC". That's an acronym for Money Access Center.
"Mac" is the correct term and is short for "Macintosh".
Re:Isn't it the least used? (Score:3, Informative)
Re:Annoying.... (Score:2, Informative)
OK, MAC=Mandatory Access Control, Message Authentication Code, or Media Access Control
Mac=abbreviation for Macintosh
Being less popular is a property that may make a system safer. But, less popular systems are not necessarily going to be safer. If windows 95 only has 1% of the market in 20 years, is it going to be safer that Mac OSX? Mac OSX has several security features that make it less exploitable than any current windows offering. It still has a long ways to go, and MS could make windows more secure than it in the future. Personally I'd like to see a system with easily configurable application specific priviledges. Your point about the statistics in this study not being well explained, or even given as raw data is well taken. Without the numbers, their study lacks credibility.
P.S. I'm not sure what you are talking about with the exploit, your description is a little fuzzy. I'm not sure changing your font size is a 'hack' or if that is what you are trying to say.
Re:Before people go nuts... (Score:3, Informative)
According to Netcraft [netcraft.com] Apache has the biggest web presence. Admittedly Apache is not Linux, and there are many Windows boxes out there with Apache, but it does give a good idea of the spread of platforms out there.
Mac OS X default security settings (Score:5, Informative)
Re:Manual breaches... (Score:5, Informative)
I have many, many sshd/firewall logs that disagree with that. See here [seclists.org] for some details of what people do if they can get in.
Crackers look specifically for Linux because your chances of finding an amateur administrator are far greater with Linux than BSD, Solaris, etc. I'd say it's also true of OS X, except Apple does a pretty good job of forcing updates down users throats which helps keep them fairly secure. There's tons of RedHat boxes out there that haven't been updated since RH EOLed the product line. And there's some pretty juicy tidbits to be found on them. I contacted a company that had been compromised in the afore mentioned group of attacks. Their box had their customers' credit card numbers on it, and with the keylogger installed in the rootkit, they were facing having other boxes that had been exposed.
crackers might not know what operating system the site is running until they attempt to infiltrate it.
Only the dumbest of script kiddies doesn't know what OS they are getting attacking.
Re:The manual Linux breeches are significant thoug (Score:1, Informative)
-Guarddog is less user friendly than Zonealarm, so I don't use it.
-I used to use "apt-get upgrade" to patch security holes. Unfortunately this also turns on any updated daemon that was off, making my system both slower and less secure.
-Intrusion detection system? Don't even think about. Very user unfriendly. Not practical.
-Turn off unnecessary daemons? Is there a program I can apt get that will make let me do this quickly? preferably something that would explain what each daemon is and why I would need it without jargon?
-A user friendly cryptographic instant messenger that will handling all this "key" bullshit for me automagically?
So, who's fault is it that my system is insecure?
I care about security, thats one of the reasons I switched to GNU/linux but my patients has limits.
I Recommend Mac OS X as One of the Best OSes. (Score:5, Informative)
I did not think of using a Mac until my last year in college when my FreeBSD box crapped out numerous time during my final software engineering project. I spent all my graduation money on a Mac and I still think that it was a good move because I get the power of Unix and Open Source with a nice interface and a system that does not crash and accepts almost anything I choose to stick in the USB port.
My primary reasons for using a Mac are:
I still can use all my office applications without problems. Office for Mac is not bad at all!
As a Unix dude who runs several boxes at home, I find it almost impossible to use windows because I am am glued to Terminal from time to time. I tried Cygwin and I do use it at work; however, I do not like it as much due to the lack of complete intergration into my box.
Mac has been secure for me. Although I consider myself to be a power user, I do have a girlfriend who likes to download all sorts of crap and click on everything that flashes. I haven't had problems with viruses so far.
Mac OS 10.3 has never crashed on me. I do not remember a single time when something went wrong to the point where I had to do cold boot.
Darwinports rule. Open Source programs just the way I like them :)
Mac is based on Unix and that is a key because I like maintaining all my systems in the same way. For example, I can run the same backup scripts with almost the same variables across all my boxes.
Plug-n-Play, as opposed to Plug-n-Pray on Windows. So far, I had no problems with digital cameras, USB keys, scanners, printers, etc. Plug it in and it works.
Human-Computer Interaction and Mac GUI. I cannot stress this enough: details are important! Natural things, like dragging an image from Safari browser or to iChat's icon, make our lives easier. Smooth fonts appeal greater. Software applications, just like people, will be taken more seriously if they are well polished. Thankfully, Apple spent an enormous amount of time and money on HCI research and then turned the results into something productive. I like OS X because it feels more natural than any Windows edition I've used so far.
This is a small one, but CD burning works with OS X without any problems right out of the box. No additional software installations needed. This list was enough to convince me :)
Re:The manual Linux breeches are significant thoug (Score:2, Informative)
Regards,
Steve
Re:same problem as last year (Score:3, Informative)
As for how breaches should be counted: I think that the more information available, the better. Show the amount of sites breached and the number of physical computers. A system that hosts multiple sites is a bigger problem if breached because it represents more damage. Some kind of weight system that gives extra points based on how big the computer is would be good. Make the data available (in a spreadsheet or something) so you can change the weight and do your own analysis if you want.
Re:This "study" is pointless (Score:2, Informative)
what sane person would do that
I would, and I think I am, technically, sane. Picture this, your mother knows nothing about computers, has disposable income, and would like to look at web pages and exchange e-mail with all her friends. Maybe she is in a wheelchair and lives in a snowy climate. What do you do? You buy her an imac plug it into a DSL line or a cable modem, set it to auto-login and put big buttons on the desktop for her mail and web browser.
Maybe you have been running windows too long, some OS's don't need extra hardware or additional software to be secure. Her machine has been running faithfully for about five years now with no hacks and no viruses, thanks for asking. This study included machines across a range of uses, including home users.
Lies, Damned Lies & Statistics (Score:4, Informative)
If OS X/BSD systems comprised only
And...were the attacks against unique machines? Or once machine A was found to be vulnerable, were there 200 different breaches against that machine? One badly configured system could really blow it for the rest.
Finally...which of the "attacks" were against the OS and which were against the applications? MySQl and Apache run on all their listed OSes. If it was a misconfiguration of those, which OS is really not relavant.
They might have the data, but they do not expose enough of it for me to have any confidence in their conclusions.
Pure marketing hype.
Numbers show: Windows not more secure than Linux (Score:5, Informative)
So, Netcraft has 37,620,349 Apache servers on-file, compared to 11,679,222 IIS servers. Mi2G has reported 235,907 successful breaches. First of all, to give you an idea of the sample size, that's 0.5% of all servers recorded by Netcraft! But let's give them that, since this is a sample of breaches occuring in a relatively short time period.
Now here comes the real news. 59,419 of computers recorded as breached are Windows, whereas 154,846 of computers recorded as breached are Linux (mi2g's numbers). Let's take those as percentages of all Linux [*nix] servers, and of all Windows servers. Looks like 0.4% of Linux servers have been breached, whereas 0.5% of Windows servers have been breached. So Windows is a little less secure, by my metric.
Now, this is a little unfair, because my assumption above (that Apache servers run Linux) is wrong. Many Apache servers that Netcraft picks up run BSD and could even run Mac OS X Server, I guess. Even taking this into account, the breach rate would be about the same for the two OSes (probably a little bit better for Linux).
What this doesn't take into account in terms of the Windows/UNIX debate are the hidden costs of an IIS server in terms of administration, virii, stability, reboot requirements, etc. the list goes on and on. It also doesn't take into account SOME hidden costs of Linux/BSD servers, but those are minor compared to the Windows annoyances (trust me, I know: I administer a Windows server, unfortunately).
That said, I do think BSD probably is more secure, and I use Netcraft's "longest uptime [netcraft.com]" as one of my metrics. To me, it seems the longer a site is on the Internet, the more statistical chance it has to get attacked. That ALL of the top uptime sites on Netcraft's list run BSD shows me that BSD is a pretty rock-solid OS for servers, that you can leave them out there in the wild for years without worry.
The real bottom line is that software that runs on UNIX-like OSes tends to be more secure, and this usually has not too much to do with the OS. For your box to have real security, the system administrator has to be smart (or the distro has to come with Smart Defaults, like I believe Debian does in the Linux world). The only real way to prevent security breaches is to be a smart administrator: to think ahead and secure your boxen before it's too late.
All this study shows me is that no OS is a "magic bullet," that breaches occur on unprotected machines regardless of your OS. No one blames car manufacturers/designers for stolen in-dash CD players if you stupidly forget to lock your doors.
VMS! (Score:2, Informative)
No, OpenVMS is not dead. Yes, people still use it in environments where security and uptime are critical.
Re:Before people go nuts... (Score:3, Informative)
There are more types of servers than just web servers/servers presenting web pages.
E.g. mail servers, irc servers, telnet/ssh servers, ldap servers, servers used for firewalls, ftp servers, DNS servers, various application servers, etc., etc., etc.
When talking about security, don't get hung up only on web servers. Granted, they are among the most exposed, but they are not the only ones open to network traffic.
Netcraft's methodology is flawed... (Score:2, Informative)
http://www.port80software.com/about/press/012103
Microsoft IIS, widely criticized for security and scalability issues, faced a perception of declining market share during the past few years. This belief has been furthered by the Netcraft Survey, which reviews every detectable domain name (not web server)on the Internet to generate its Web server statistics. "Hosting vendors using Apache to serve numerous small sites bump up Netcraft's numbers in Apache's favor," said Chris Neppes, Director of Sales and Marketing for Port80 Software. "Netcraft's survey reflects a relatively high ratio of domains to Apache servers. If you look at dedicated hosting or corporate environments however, Apache's market share is likely much smaller. Port80 Software's survey of Fortune 1000 corporate Web server market share shows: Microsoft IIS: 54.1% Netscape Enterprise: 21.0% Apache: 17.6% Other Web servers: 7.3% By the way, Netcraft has a survey that pretty much agrees with this, but you have to pay for it...
Re:Not only safe but fun! (Score:1, Informative)
Re:Netcraft's methodology is flawed... (Score:3, Informative)
It also says IIS is used on 54.1% of corporate and dedicated hosting environments. In a corporate environment chances are you will need enhanced functionality out of your web services. These corporate users are probably using
Anyhow, nothing is flawed about Netcraft's survey. They presented the facts that their research showed them. Everyone just perceives those facts the way they want too. Port 80 Software presents the data that best suits them. Their products run on IIS only. Why present facts that could hamper sales for your product?