Study Recommends Mac OS X as Safest OS

rocketjam writes "The British security firm mi2g has concluded a comprehensive 12-month study to identify the safest 24/7 computing environment. In the end, the open source BSD and Mac OS X came out on top with the fewest security breaches against permanently connected machines worldwide in homes, small businesses, large enterprises and governments. The study found Linux to be the most breached environment 'in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded'. Windows was the most breached environment in government computing and led Linux, BSD and Mac OS X by far in economic damage caused by breaches." We mentioned their previous study too. As before, the study ignores the thousands of automatically-spreading viruses for Windows.

Isn't it the least used?

[mesach]

That would lead me to the assumption that if its the least used then people wont bother writing virii and bother trying to hack it.

Am I wrong to think this?

Previous Slashdot article contradicts this one?

[gotgenes]

So where does this [slashdot.org] article fit in?

Re:Isn't it the least used?

[somethinghollow]

I think it is partially true. A major web server, for instance, would be under scrutiny. Those would be, most of the time, Linux and Windows. On the desktop front, BSDs/MacOSx don't have alot of public mindshare, so all the exploits being researched are for Windows, since it is pretty ubiquitous on the desktop. But, I think it depends on if the survey is for potentiality-to-be-exploited or history-of-not-getting-exploited. If it is the latter, your observation is true. It's security through obscurity. If the author meant the former, then your observation is wrong. But if it is through obscurity, it seems Palm or Symbian OS, ones that qualify as constant computing operating systems (as most non-geek people I know spend more time on their cell phone than on a computer), would rank pretty high. Just my observations.

Re:less users = less exploits

[bhtooefr]

Hah... hah hah...

You don't know the lineage of Apple II OSes, do you?

ProDOS is the Apple II port of SOS (essentially - a disk can actually have an SOS.SYSTEM and a PRODOS.SYSTEM, along with A2 AND A3 versions of programs). GS/OS is the 65816 port of ProDOS, with a GUI added.

Breaches Recorded

[kevjava]

As a Mac user and Linux guy, I have to say that this kind of study is a little tilted... how many Mac users and Windows users really know how to record a breach into their machine? Neither ships with process accounting on out of the box, to my knowledge.

I recently had some puke engage in comment spamming my website. Traceback revealed he was using a Windows XP machine infected with the Subseven trojan. I'd be willing to bet that breach was not recorded.

"safest", not "most secure"

[mblase]

of all manual hacker attacks that are successful, most of them happen on Linux, and Mac OS has the least of them. This does not mean that Mac OS is more secure.

They didn't say it was "most secure", they said it was "safest". That adjective takes security-through-obscurity into account.

It's kind of analogous to buying a home in a rural town vs. a downtown metropolitan area -- your neighbors leave their house unlocked all day, but since there's only about zero-point-two reported burglaries in a ten-mile radius every year, who really cares?

Both ways

[ceswiedler]

You can't really compare automatic spreading of worms with manual hacking attempts. However, you can compare percentage of manual attacks with percentage of worms written. For example, if we say that "67% of attacks are on Linux servers because most servers are Linux servers", it's valid to say that "95% of worms are written for Windows because 95% of desktops run Windows".

I'm not arguing that a hacking attempt is as bad as a worm. The article does state that the economic impact of worms is much greater. However, worms are written because of known vulnerabilities in systems, which is the same reason for manual security intrusions.

Sources?

[truthsearch]

I can't find the source of the reported breaches. How did they determine which breaches to investigate? Were they only breaches reported to them? I can state for a fact that many companies do not report breach attempts to anyone. So this investigation probably isn't of a very accurate sample pool.

Security by obscurity?

[the_mighty_$]

I am glad you pointed out that this is about manual exploits, NOT about which OS has the best security. If we were talking strictly about vulnerbility the story would be quite different. Quite simply, Mac OS would lose (IMHO): http://www.computerweekly.com/articles/article.asp ?liArticleID=131513&liArticleTypeID=1&liCategoryID =2&liChannelID=22&liFlavourID=1&sSearch=&nPage =1

Not only safe but fun!

[ericdano]

Seriously. The Mac OS is much more "fun" to use. I have a Windows XP and a Mac OS X machine next to each other. I find myself using the Mac one more. Not cause it's faster, it's not (933 machine compared to a 2.5 machine), but the experience is more enjoyable.

Not that this matters. But it's also good to know its safe. But how many people actually direct connect to the internet? Doesn't it make sense to have some sort of cheap firewall/router box to protect you?

Re:Before people go nuts...

[Stephen Samuel]

Wait! Everytime Microsoft makes this argument in defense of Windows shoddy security, Slashdot laughs them down. Suddenly the argument is valid for Linux?

The response to the 'popularity' point for Linux vs Windows is that the popularity of Windows does not come close to explaining the statistical difference... Counterexamples include considering that Linux is a fer more popular internet server than Windows is, but still gets fewer total exploits in that field.

For Linux Vs Mac, It's harder to say that the difference is or isn't due to the market share, and the authors are simply acknowledging that. Perhaps, in time, someone will do a study to attempt to distinguish that difference (and we can then bash and/or praise that to our hearts' content)

Re:Logical fallacy

[Anonymous Coward]

IIS has an estimated marketshare of about 50%, not 20%.

IIS v6 has had no security vulnerabilities since it's release over 1.5 years ago that affect the default installation (there has been one exploit found and patched in WebDAV, an optional component). IIS v6 was completely rewritten from the ground up to be secure; and it seems that undertaking paid off.

Apache has had dozens in that time.

For older versions, they're pretty close.

The argument you could have made would regard the exploitation of systems running IIS "accidentally" or in non-server situations. It is systems like these that were most exploited by Code Red, as they were not patched or properly firewalled.

My conclusion, too

[upsidedown_duck]

My own anecdotal experience would be roughly the same (sans OS X experience). I have known someone whose Linux box was rooted, but it, too, was a manual attack. Windows goes without saying. OpenBSD goes without saying, too (oppositely, of course).

Linux is a very good general purpose OS, but it's development is volatile enough that it requires a conservative approach with respect to security. I would use an older more mature kernel along with manually paring down the rc directories and inetd.conf, among other things. OpenBSD, on the other hand, is stripped out of the box, and the user must add services. I generally feel that Solaris ranks more with Linux, in that a manual hardening effort really is necessary. Never would I put Windows on the Internet--it would be like swimming in the ocean with steaks tied to my legs.

Vague

[The Cisco Kid]

"the Open Source platform of BSD"

The commercial "BSD" is not open source.

If they mean an 'open source' BSD, which one are they recommending? NetBSD, OpenBSD, FreeBSD?

Re:Before people go nuts...

[geoffspear]

I don't argue that Linux is more secure than BSD; I just think that arguing it's less secure based on this study is ridiculous. I'm an OS X user and I'm heavily in favor of BSD-style licenses (I've only ever contributed to projects with BSD licenses, in fact), but it's impossible to take a "victory" away from anyone here. There's no victory because the report is meaningless.

The sad thing is that they apparently went through a lot of effort to collect data, but at least as they've presented it the data makes it impossible for anyone to draw any conclusions. The whole thing was wasted effort unless they've got some more data they didn't bother putting into the study, that can show successful attacks as they relate to attempted attacks against each platform, or at least related to how many of each platform are actually installed and meet their criteria.