Lower Your Insurance Premiums: Use Linux

Several readers who declined identification have pointed out that this "article over at Interactive Week discusses J.S. Wurzler Underwriting Managers, one of the first companies to offer cracker insurance, charging clients 5 to 15 percent more if they use Microsoft Windows NT in their Internet operations. As insurance companies live and die by their statistics, this is a pretty significant move. The article also has interesting information about tech turn-over in Windows vs. open source shops." However, note that Wurzler is not the only company offering anti-cracking insurance, and the Big Names haven't yet followed this lead, even though they're apparently watching intently. Maybe "treating employees nicely" is at least as important a factor to consider.

Am I the only person worried...

...by the fact that this report about an insurance company charging a premium for use of NT gets turned into a headline that says that if you use Linux, you will pay less?

Insurances are about statistics

[Karpe]

Of course there is much more to security then the operating system. But insurances are always based on statistics. They cannot really represent reality for every single case, but for the average case. That's why you pay more car insurance if you are a male, young driver, than an old woman even if you drive one day in a week and never passes the speed limit. What this article shows, probably, is that they gathered statistics and Linux servers had less security problems than NT. I think the credit is not only to the operating system, as you even say, the personel is also very important. But probably they are linked to the operating system as a statistic, that is, people who run Linux servers tend to be more security conscious sysadmins.

MS creates the illusion of simplicity

[astrashe]

I don't know if the insurance price difference is justified or not.

But I think that part of the problem isn't with NT/W2K per se, but with the culture that surrounds MS sys admining. MS tries to make things simple -- and they often seem simple. It's easy to throw stuff up without thinking about it first. And one of the selling points that MS uses in comparisons with Unix/Linux is that W2K is easier.

On a certain level, that means that you get a sysadmin that went to Windows because Unix was too hard. That's a harsh overgeneralization, but I think there's some truth to it.

The problem is that security is hard on any platform. The issues are pretty similar. But if you keep telling people that all of you have to do is click on an icon to set things up, it's not surprising that people click on the icon, take the defaults, and don't think about locking things down.

Idiotic

[ergo98]

What a ridiculous concept. The security of an infrastructure is far more the people and dedication to keeping on top of issues more than it's the operating system. The recent Solaris/IIS worm took advantage of a year old hole to compromise IIS 5 servers, just as the portmapper/BIND/RPC/POP2/etc. Linux exploits take advantage of ancient (in computer time) and long since fixed holes. Of course it takes a grossly incompetent sysadmin to fall prey to any of these, but unfortunately there are many of those out there.

If there is such a thing as "cracking insurance" (I mean by real insurance firms that aren't just trying to get headlines by making a ridiculous policy) it would be based upon the manpower skills, policies, and possibly the use of outside agents to test the security. The idea that Linux=Secure and NT=Insecure is absurd and simplistic.

Re:This is just plain silly.

[Peter+H.S.]

It seems to me that Wurlzer has fallen victim to some of the FUD that has been spread by Linux advocates. [snip, a lot of linux bashing]

The problem is, that all statistical surveyes (for what they are worth) I've seen, all say that MS-based Internet servers, percentetwise are cracked more than their marked share would indicate. Much to my surprise, MS-Windows 2000 servers, are disproportionately more cracked, than even MS-WinNT 4.0.
Why it so, I really don't know; is it because; Sys-admins are insecure about applying hot-fixes (will the server come up again after the reboot?)
Skript-kiddies feels more at home on Win-servers?
Win+IIS are generally insecure products?
Windows servers, are generally runned by less competent/lazy people?
Companies running MS-solutions are to cheap to have a decent security policy?
A penguin ate the Hot-fix?
The insurance companies doesn't care why. They are just greedy bastards, who hates to pay out.

Look, if you want to use Linux or *BSD or some other non-mainstream OS
Take a look a www.netcraft.com : Linux is a mainstream Internet OS. Apache (OSS software) is by far the most dominating web-server around.

The way that America works is that people get together and work hard to put out a product, and then they sell it to people.
That exactly what this insurance company is doing; selling a product. Just be glad that it isn't a monopoly, so you can take your business elsewhere.

Go ahead and flame me
Ok. Flame, flame, flame.

[scorch-mode on]
You, sir - you are a MS zealot!!
[scorch-mode off]

Didnt konw they offered insurance...

[Darth+Turbogeek]

Did not know insurance companies offered policies protecting against a hack attack.

Do they also offer insurance against a slashdotting?

oh the irony..

[MSisNOT4Sale]

and the story right below this one

Developers: SourceForge Server Compromised

I wonder if NT's ease of use could be a culprit

[Billly+Gates]

I am a mcse (ok, here comes the flames) because I use to have a job supporting NT users and servers. I also know some linux and freebsd.

The problem is I really don't know how to secure an NT server. My mcse classes taught me nothing, other then how to setup a domain controller. I was told that NT was enterpise ready right out of the box unlike unix so it was already secure. I knew this was total bs. The thing is that there are a million resouces out there on how to secure Unix/Linux and all the configuration settings are stored in text files where you can edit them manually, but in NT its hidden in the registry. How many here actually know what the majority of the registry settings actually do? I found 1 or 2 books dealing with NT security at Borders so the situation is getting better as people discover what some of the settings are.

It would be nice to have future mcse or corporate training courses to have security methods in the circulum. Or even discuss several registry settings so we know a little more on how to customize NT. I believe NT may be secure if its done right. I believe the only time Microsoft's website was ever down was due to a linux(not NT) bug in their outsourced DNS servers. Microsoft uses a seperate company which uses linux for their DNS. I don't buy the security through obscurity arguement. Microsoft loves hiding things to make their products look easier and markets them to the average joe consumer. This may be good for home users but not bussiness users.

I remember a Microsoft semeniar where Bill Gates talked about non techie users installing NT to get work done and how great WIndows is because you don't need an admin to setup a server??

Perhaps thats the problem.

I can imagine the paper clip from MS word poping up whenever someone uses regedit in the WindowsXP.NET.

Basically the summary of problems are, lack of documentation, qualified admins, and the reboot problem is why NT is having some problems. The stability arguement is not that important considering bussinesses are using switches and clustering to make NT work. Got to love those clueless CIO's and phb's who insist on using NT over Unix. Well, if they want to pay 3x fold for an NT solution over a unix one, I guess thats their problem. :-)

Not idiotic

[mgkimsal2]

Somewhat a response to ergo98's 'Idiotic' post, but somewhat separate... :)

First off, I thought I read about similar action by a London-based insurance company a few months ago - darned if I can find the URL just now tho.

Nowhere did the article say 'NT=insecure, Linux=secure'. This insurance company is doing what all insurance companies do, which is analyze their claims data and make assumptions, inferences, and policy changes based on this data. Of course inhouse skill, training levels, etc. all play into how secure a box or network is. However, according to this insurance company, their numbers are bearing out that it's more expensive to insure companies using Windows NT. Windows may be merely a symptom of a company that is lax about security in general - hiring inexperienced people, cutting security budgets, etc. But they have enough data to make a correlation between NT and higher insurance costs. (more claims? higher $ claims?)

Auto companies insuring cars will rate a sports car as a higher risk, even though it shouldn't happen that way. It's COMPLETELY down to the driver - just because I drive a red convertible sports car doens't mean that I *ever* speed, but statistically people driving red sports cars have higher accident rates, so they charge higher premiums for that car, because it's an indicator of risk. (Not sure on the specifics - I seem to remember red sports cars being higher, but could never afford one anyway, so it's a moot point for me!)

Interestingly, I was doing some work with an auto insurance company a few years ago that was looking at using people's credit ratings as a premium indicator - apparently, a credit rating is as good, or sometimes better, indicator of an auto insurance policy risk. Dunno if it's being phased in anywhere around here (Michigan) but I seem to remember the initial interest was stemming from research in California.

Back to the point - it's not idiotic at all that an insurance company would use something like software choices to base premiums on. Those choices, statistically, will point to other info about the company that is relevant as well. There will always be exceptions to the rule, but statistically, these will prove out - if they don't, insurance companies won't adopt these. If the numbers work out, they'll move in this direction. It's simple numbers.

Simple Questions Agents Should Ask...

[LauraLolly]

1) How frequently do you have a paid security audit from an outside firm? 2) What sites do you check for security patches and notices for your operating system, database, server software, and management software? 3) What internal risk training does your firm undergo? How frequently do non-IT people have to be refreshed? Are there live exercises? What is awareness within and outside of IT of social engineering attacks? 4) Can you please name the last five major published attacks that targeted a similar OS to yours? What have you done to secure against those attacks? 5) What do you do to keep your IT people pleased to work for you? Who are the people who do your data backups? What background checks were done on these people? What are you doing to keep them happy in their jobs? 6) What is the physical security of your servers? What prevents any person, even "authorized" from walking off with the actual server machines? Any company that can answer these questions will be much better prepared, and deserves AAA* rates.

New price list

[jsse]

Dear Customers,

In order to enhance our services and better serve you, we will adjust the insurance fee a little bit if your company is using the following:
1) Windows 2000/NT +5%
2) Windows 98/ME +10%
3) IIS +15%
4) Exchange +20%
5) Outlook +25%
6) MSN services +30%
7) .NET +40%
8) DNS server on Windows +60%
9) Continue the Windows subscriptions - you must be an idiot, but also our premium customer +100%
Best Rgds,

Your savior

P.S. all % accumulative, per license.

Re:Perhaps they should base it on the admins

[mech9t8]

In my experience, lots of Windows Admins tend to be non-geeks that took a course because getting into computers is a good way to make money. Knowledgable Windows users tend to go into programming/consulting.

OTOH, almost everyone who uses/admins *nix (and especially Open Source) is a computer geek who really likes and is generally interested in computers. So the level of sophistication, on average, for Linux admins would definitely be higher.

In my mind, Windows is just a version or two away from being truly adminstrable by non-computer-geeks... they've got most of the usability down, they just need a few more setup wizards and (most important) security wizards and an MSCE will be able to run a secure shop. And then the people with the computer smarts can do more thought-provoking activities instead of setting up identical workstations, setting up accounts, and fixing printers...

Linux is much further away from being accessible to people that just want to do their job and go home without thinking about it too much. And the non-thinkers are quite a large portion of the workforce. ;)
--
Convictions are more dangerous enemies of truth than lies.

Re:Discount for OpenBSD?

[hyehye]

Mechanics shouldn't be the only people to drive cars. Linux isn't more stable if they can't install it.

That's a great way to put it. This may seem a little off-topic, but bear with me here. You shouldn't have to know the very guts of a machine to use it - that defeats the purpose of the machine, who's purpose is to make your life easier and give you more free time. But, of course, you should have enough respect for the benefit it provides, to learn how to change your oil and tires. Likewise, Linux and BSD have their obvious redeeming qualities, but none of that matters if the user can't get the system setup properly to see the performance in the first place. The need for systems that provide intelligent install and config systems, without dumbing down the experience in a few important ways, is great - but once again, the user must take enough responsibility to understand a few basic things about the technology that so greatly enhances his life. That which improves one's life must ultimately be appreciated.

So what does all of this have to do with intrustion insurance and the lower opensource rates? Simple. The more complex a system is, the more prone to failure it becomes. Operating systems that try to do everything for the user will always fail - there are simply too many possibilities and branches it must be aware of in order to manage itself. We don't yet have AI, and static code is incapable of handling the infinite number of configurations and situations an operating system will encounter. With systems that bring you much closer to the metal, you tend to be dragged (or to run of your own volition) toward learning more about the system. This leads to greater competency - the insurance rates should be better. It would be the same if UPS's drivers had better training than FedEx's.