Study Recommends Mac OS X as Safest OS 370
rocketjam writes "The British security firm mi2g has concluded a comprehensive 12-month study to identify the safest 24/7 computing environment. In the end, the open source BSD and Mac OS X came out on top with the fewest security breaches against permanently connected machines worldwide in homes, small businesses, large enterprises and governments. The study found Linux to be the most breached environment 'in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded'. Windows was the most breached environment in government computing and led Linux, BSD and Mac OS X by far in economic damage caused by breaches." We mentioned their previous study too. As before, the study ignores the thousands of automatically-spreading viruses for Windows.
Why isn't BSD in the title? (Score:5, Insightful)
Which BSD? (Score:3, Insightful)
Manual breaches... (Score:5, Insightful)
That's a software issue. Most people manually breaching systems are nmapping, finding services that are vulnerable, and exploiting them.
Furthermore, unlike worms, crackers might not know what operating system the site is running until they attempt to infiltrate it. It's not like people go looking for Linux boxes randomly.
I think that the argument that Linux is installed on more target machines than the other operating systems is acceptible here, even though it is somewhat fallacious when it is used to defend Windows security against automated attacks like viruses and worms.
What abour Market Share?? (Score:3, Insightful)
Oh Dear God (Score:5, Insightful)
Show us a report studying attempts/successful attempts ratio, and it might actually mean something.
Just buy a mac :-) (Score:0, Insightful)
Microsoft Office.
Internet Explorer.
Open Source.
The fastest PC.
The first 64 bit PC.
DRM Ipod attachment.
And now, the most secure computer!
'Nuff said.
Just buy a Mac
Fun with percentages (Score:5, Insightful)
Unless I've misread the article (which is possible), the numbers they provide don't seem to take into account the *prevalence* of each environment.
Re:Isn't it the least used? (Score:5, Insightful)
First, the study shows linux subject to the most manual attacks. That doesn't jive with your logic.
Also, see the oft repeated marketshare of webservers. Apache is by far the most used, but subject to far less attacks than IIS.
Logical fallacy (Score:5, Insightful)
If that were true, then apache would have the most exploits of any web server, since it has the greatest market share. However, that is not the case: Microsoft IIS is by far the most exploited web server, with only around 20% marketshare.
Additionally, lesser marketshare does not automatically imply anything with regard to security. Sure, it's *targeted* less, and people might spend less time attacking it, but that does not mean it is less secure. In fact, there are numerous technical, design, and architectural reasons that, e.g., Mac OS X is more secure than Windows. A few examples would be: no ports or services open by default, services that are used are likely to be open source services like apache and OpenSSH which receive in intense scrutiny so that theoretical holes are closed before they become practical ones, there are more layers of abstraction between an email attachment and it actually becoming a meaningful exploit, prompting and notification for administrative-level or elevated privileges, less likelihood of standardization on a single email client reducing the exposure of a single point of attack, etc.
And sure, marketshare helps too, in terms of things like the statistical likelihood of the next host encountered/scanned by a piece of Mac OS X malware also being Mac OS X. But that's no where near the whole story.
Re:Isn't it the least used? (Score:2, Insightful)
I don't think it's possibe to really say that Unx (or Linux or OS/X) would be just as vulnerable as Windows if they had more users and were therefore bigger targets.
numbers without data to back it up (Score:1, Insightful)
but I for one would like to see some details on their methodology...
Which kind of service were exposed?
Which exploits were used, etc...
Leaving telnet enabled with default passwords is just as dumb not filtering ports 445/135/etc.
But as usual with mi2g, big headlines, without anything to back them up!
The manual Linux breeches are significant though.. (Score:5, Insightful)
So, now I'm using SuSE - mainly because it has built in security functions and is easier to configure. I kinda wish I could just go with something like Slackware and set all of it up myself, but I have limited tinkering time these days.
I suspect that a growing population on non-expert Linux users could be a potential security vulnerability.
Re:Before people go nuts... (Score:5, Insightful)
The problem with this study isn't that it can been seen to say that Windows is more secure than Linux (which it doesn't say, specifically denies it's saying it, but with Linux users will think it's saying and flame away).
The problem is that they claim to be trying to find the "most secure" OS, and then look at the % of total attacks against each type of system instead of the average per installation of each type. If I set up 5 insecure "A" machines and 100 more secure "B" machines, and find that there were 5 attacks against the A machines and 20 against the B machines, I can conclude that the B machines are least secure because they account for 80% of attacks, or that A machines are least secure because they're attacked 100% of the time vs. 20% of the time. The raw numbers are completely meaningless in the context they're presented in, and the "news alert" itself show they're either intentionally misleading people or they're incompetent and need to hire a statistician with a big clue stick.
By the way, I do think the BSDs are probably "more secure", as they claim, but their methodology makes me ashamed to share their opinions.
Re:Isn't it the least used? (Score:5, Insightful)
Regardless, you can certainly look at the users for the source of these numbers. I think it's harder for a Windows XP desktop user to "get hacked" than a Linux user. Why? Because Linux operating systems, with all their power and flexibility, can be compromised because it's easy to make a mistake. I'm sure you know users that run as root and do all kinds of ridiculous things. Does that mean Linux is insecure? No.
Likewise, I'd point at Windows desktop users and ask - "do you know if you've ever been hacked?" Everyone wants to say no, but most people have no idea how to tell. Or what counts as a hack. So how will you measure the number of attacks? If you ask a Linux user, I think you're immediately more likely to get an educated response because the users are generally more attuned to their computers and how they work.
It's hard to take a report like this very seriously because it has to overcome some fundamental issues.
Re:Before people go nuts... (Score:4, Insightful)
Indeed. I wonder about the relevance of absolute figures in such a study. I mean, I can top all these amateurs with my own home-made kernel Skimpy, 0 breaches recorded (fact that I am the sole user intentionally omitted)
Re:Fun with percentages (Score:5, Insightful)
Personally, I'd like hacks to be reported in relation to hours in operation per year -- so if you've got two Linux servers up and one gets hacked once, you get 1:17532. It's probably reasonable, given that we can assume most servers are just going to be up all the time, to simplify this to hacks per operational systems out there.
(I still think it's somewhat bogus to dismiss out of hand the "more virii are created on Windows because it's more popular" approach while using exactly the same approach to explain why people hack Linux systems. If Windows remained the easiest system in the world to compromise but only had a
Re:Why isn't BSD in the title? (Score:3, Insightful)
Re:Sure, but... (Score:4, Insightful)
I think it has to do with the fact that there is much malware written for OS X, and that the OS Security model is better to begin. There is no root account and there are no ports open by default.
Re:Logical fallacy (Score:3, Insightful)
You're absolutely correct. The joke was exactly that: presuming a 1:n relationship between #ofUsers and #ofExploits. This more truly would be a measure of how appetizing the platform is to black-hats. There are naturally far more variables in that equation, most especially how well the platform has been designed, but we who feel "all bugs are shallow given enough eyes" should be conscious "all platforms have exploits, given enough eyes".
Think of the prestige! (Score:5, Insightful)
I'm sure a Mac virus for OS X has at the very least been attempted. Why hasn't it succeeded at spreading all around?
OS X really is more secure
Meaningless (Score:5, Insightful)
Anyway, just in the last fews days I can think of at least one exploit requiring users of real player (on ANY platform) to "update their software" lest they be rooted by a malicious video stream. Previous hacks mentioned in the article were related to both Real and Quicktime being vulnerable to malicious skins.
Since I don't use either of these pieces of crapware I guess I'm 100% safer than everyone else and I don't have to worry about being rooted - because, after all, it's just bad software that makes you vulnerable, not being a warez whore and installing every piece of shit toy on your system that catches your eye.
Re:Before people go nuts... (Score:4, Insightful)
Re:Logical fallacy (Score:2, Insightful)
I don't see activism as the primary goal of the majority of windows exploits. Most seem to be greed or mischief. Am I wrong?
same problem as last year (Score:3, Insightful)
First problem: what is a breach? If someone takes down a hosting company's Linux server that is hosting 5000 domains, and someone else takes down a Windows box with one domain and an OS X box with one domain, is that counted as 5000 Linux breaches, 1 Windows breach, and 1 OS X breach, or is it 1 breach of each OS?
Second problem: total number of breaches is a pointless number to look at by itself. For example, if you had 100 Windows servers and 1000 Linux servers, and you had 50 of the Windows server breached and 100 of the Linux servers breached, that would be a 50% breach rate for Windows and a 10% breach rate for Linux. But the way Mi2G reports it they would say 33% of the breaches were on Window and 67% on Linux, so Windows is twice as secure.
Re:Before people go nuts... (Score:5, Insightful)
Wait! Everytime Microsoft makes this argument in defense of Windows shoddy security, Slashdot laughs them down. Suddenly the argument is valid for Linux?
Re:I doubt this (Score:1, Insightful)
Re:Before people go nuts... (Score:3, Insightful)
According to Netcraft Apache has the biggest web presence.
If you read the words carefully, they can be saying the same thing. This is a case where you have to read with your skeptometer turned to High. Look carefully at the exact words, and ask yourself what exactly they mean.
Microsoft has long claimed that IIS is the most successful commercial web server. Note that word "commercial". Apache isn't for sale; it's free from apache.org. So it's not a "commercial" web server, and it is regularly ignored in comparisons of "commercial web servers".
The above comments are compatible in the same sense. MS can claim the majority of "market share" in the "server market", because apache isn't for sale, so it isn't part of that market. Netscape isn't counting sales; it's counting online servers. These numbers need not be closely related, especially when a major server isn't for sale.
This is straightforward marketing technique. To avoid falling for it, you need to understand how marketers use terminology to make you think they're saying something very different from what they're actually saying.
In brief, MS's IIS server is the most sold web server; apache is the most used web server.
A funny example I saw recently: A box was sold with Windows XP Pro, including the IIS server (which was never used). Its disk was wiped, then linux with apache were installed. Microsoft counts this machine as Windows running IIS; Netcraft counts it as linux running apache. In "market" statistics, Microsoft is correct; in "running" statistics, Netcraft is correct.
mig2 themselves run Redhat! (Score:2, Insightful)
Linux Apache/2.0.46 (Red Hat) 19-Oct-2004 217.154.246.214 Mistral Internet
Re:Which BSD? (Score:4, Insightful)
They were also talking about desktop users in small businesses and homes with a fast, always on Internet connection. Out of the box, Macs come with most network software turned off, which makes them less vulnerable. Still, a well social engineered trojan can infect any system, if the user can be tricked into running the malware and giving or having the needed admin privileges to allow installation. No Mac is vulnerable to any of the self installing malware programs that will destroy or zombiefy a Windows box, sometimes in minutes after being connected to the Internet. I don't think it is possible to write a self-infecting malware for a Mac that doesn't require user interaction.
Re:Before people go nuts... (Score:5, Insightful)
I'd feel the same about someone who said that evolution was a better theory than creationism, and went on to "prove" it with fake fossils they made in their basement. Being right for the wrong reasons is just as bad as being wrong.
hence the keyword "manual" (Score:3, Insightful)
And as before, michael just can't help adding his two cents to a story submission, rather than posting a comment in response to it like everyone else, subjecting his opinions to the moderation processes.
If only Slashdot admins could be elected rather than appointed...
Re:Meaningless (Score:4, Insightful)
Re:Before people go nuts... (Score:2, Insightful)
Except, every 'Linux' distro has it's own userland and
The Freenix BSD OSes have base systems and core userlands that arel tracked and version controlled under single organizations.
Which makes a heck of a lot more difference than a casual Linux user would recognize.
Re:But according to this ... (Score:2, Insightful)