Slashdot Mirror
The World's Safest Operating System
fredrikr writes "UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80 percent of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks."
This is not the best way to conduct research. When I was doing research at NIH we would say of this sort of thing, "After discarding all data to the contrary, the hypothesis was proven."
While this research may show that Linux servers are over-represented in overt acts of hacking, this does not statistically make the Linux OS the least secure. Attacking a particular system simply makes it popular for attack. In order to characterize Linux, or any other OS, as the least secure, there would need to be evidence that an equal amount of other OS's were unsuccessfully attacked or the success rate was lower. Other variables that would required controls would be the hacker, level of sophistication of attack, etc. etc.
To say that "...while Linux servers were the most vulnerable,,," only means that they may have been the most targeted. I am not saying that the conclusions of this research are incorrect, I am saying that from what I have read, they cannot come to those conclusions.
Keep Smiling!
Erick
http://www.busyweather.com/
For all the servers out there, I wonder how many people actually run up2date or apt from time to time. I imagine more people run windows run windows update than any linux equivalent.
Let's face it. Linux isn't for just the uber-geek anymore. So logically, more systems are going to be hacked into when people with no security sense are managing systems.
Don't blame the operating system. Blame everyone who thinks they're a competent sysadmin, but really aren't.
Not to mention that this article doesn't weigh in percentages. There are a *LOT* more linux servers out there than there are BSD, Windows and Mac OS X servers. When one factors in percentages, Linux really isn't *that* bad.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
To be news, they need to say what proportion of computers use each OS, and what apps were hacked. It even says third party software accounts for a lot of the Linux hacks.
Nothing to see here except some meaningless statistics. Yawn.
Somebody needs to take some basic statistics. The fact that Linux is most often the operating system involved in server compromises is not surprising since Linix is the is most often the operating system involved in servers in the first place. If you normalize out for server market share, you'll find things are more or less even.
When it comes to servers, selecting a bad choice of a password or forgetting to properly set file permissions is still the easiest way to get hacked, and that will always be operating system independent. And, that accounts for the majority of security weaknesses. Worms and viri are a client-side issue, servers don't often get hit with those.
So, good work OSX fans. You finally found a metric by which having the fewest number of servers in actual use makes you look good...
::puts on flame-proof suit::
Linux is made up of _many_ distributions, who hack together systems out of many disparate apps. Each is slightly different. This diversity means none can Q.A. their systems as well as a unified project like FreeBSD does. I've seen some unbelievable bugs in a very well-known Linux distro, there for no reason there than their resources are stretched too thin.
Linux is also a Unix. People who put up *BSD servers are Unix hacks. People who put up Linux servers are oftentimes ordinary people who are trying to cut costs from not going with Windows. Unix is powerful, if you don't know how to handle that power, you put your systems at real risk.
Looks like mi2g doesn't have the best reputation:
h is tory.html
t ml
m l"
"And yes, every time an mi2g story has come up, an ugly flamewar has started. The funny thing is, it's the security equivalent of an Adequacy troll.
Some links:
http://www.attrition.org/errata/charlatan/mi2g-
http://www.theregister.co.uk/content/55/28233.h
http://www.nwfusion.com/news/2002/1107msfoul.ht
How many linux servers are there in the wild, how many bsd ones, and how many windows ones. I'd be tempted to guess that the geeks favourite OS is by far the most popular server OS...
In other words, it's the same story as Windows on the desktop - there are more attacks because there are more servers. Since they don't give us percentages of installed vs breached, the data is essentially useless. Rule #1: Normalise your data before comparison....
Simon.
Physicists get Hadrons!
Linux is secure... out of the box. However without a skilled administrator, it's very easy to open up LOTS of holes. I think that linux is a great operating system for power users, but lets face it, the average desktop user or the new sys admin, doesn't belong on a powerful distro right now. Perhaps lindows, but not Red Hat Enterprise. One thing I found interesting was this:
"For the first time, the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004," the analyst said.
I'm in the army in Europe and we're not allowed to run BSD or OS X. Only non-windows I'm authorized is AIX or um... (I'm really sorry to admit this) SCO. So I'm sure alot of other government agencies (besides DoD), don't allow BSD and OSX.
they forgot a very important piece of information: the percentage of total servers accounted for by these systems.
armed with this statistic and the age old mathematical operation of *division* one could make these results meaningful.
in other news, a new study finds that red heads are much less likely to commit violent crimes. Data for left-handed people is also encouraging.
-ashot
Mi2g
Second link leads to this page which shows what a crock this (company/report) is.
The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide.
"When we ignore most of the break-ins that windows had, it had less than linux!"
followed by BSD and Mac OS X with 555 breaches
This completely ignores the proportion of these OS's that got hacked. If there are only 556 of them deployed, then this is a terrible break-in rate. Obviously there are more than 556, but there are fewer BSD servers than linux servers.
<high-level position here>
<name of stupid small company here>
The first red flag I noticed was that they want you to pay for the results.
Thats not how it works. There are also many other reasons not to believe them. Boy, it must be nice to be able to make a living just making up statistics.
Read Why is mi2g so unpopular?
Then read this complete debunking of the scam^Wfirm.
Slashdot is trolling us -- did I wake up in Soviet Russia??
-- @rjamestaylor on Ello
Absolute numbers are fine, but what about normalizing it for the total number of BSD, Linux, and Windows servers in use in this study? That's the more meaningful number. Then, what constitutes a successful attack?
Also, a useful study would look at how machines are maintained, password policies, etc.
Now before I come off sounding like a Linux apologist, it is quite possible there are some serious weaknesses that need to be addressed. If so, I hope they give us full info on the attacks so we can fix the problems. But these numbers as they stand don't tell us a darn thing.
If a dedicated admin configures Selinux and heavy duty firewalls, and puts Klingon password policies in place, I'd personally still be confident to match that system against anything out there. Default Redhat installs, on the other hand, are something else again. So again we need more info. It's all in how things are set up and maintained. The question actually being asked here - which OS is strongest, all other things being equal - is a really really tough one to answer. There are many other issues that must be addressed first.
So, as far as any useful information is concerned, this article doesn't appear to have any. What if the Linux machines simply had the best intrusion detection in place? (I'm not saying they did, but it's a fair question.) Need More Information!
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
mi2g analysed 17.074 successful digital attacks against servers and networks. It states: "With Linux accounting for 13,654 breaches, Windows for 2,005 breaches followed by BSD and Mac OS X with 555 breaches worldwide in January 2004."
They say how many attacks they analyzed, but they didn't mention the pool of hosts that these attacks were taken from.
Were there 1000000 linux hosts, 200 Windows hosts, and 6 Mac OS hosts? If so, that would radically change the conclusion that is implied.
Also, it's interesting to note that they did NOT count automated attacks by viruses, etc.
I'm sure there are interesting conclusions in their study of attacks, but given the lack of data, this study doesn't provide enough data to conclude that one OS is safer than other.
We should not be concentrating on which operating is more secure than another. This just promotes the myth that people can 'choose' the most secure operating system and then they are secure. No operating is secure, if you do not keep it up to date and patched.
Everytime I see an article like this, I wonder how many users and administrators will get the false impression that if they just switch to another platform they will have done their job.
Security is a process. It is not all about the technology, and it requires educating users and managers to be effective.
I don't know about the results but this 'security company' has been in the news before and as far as I know it was labeled as bunch of charlatans by real security experts at security focus. Read more about mig2 at: http://www.attrition.org/errata/charlatan/mi2g-his tory.html
A lot of software is shared between BSD and Linux installations. Stuff like sendmail (qmail, postfix, ...), apache, bind, etc... is exactly the same on both OSes. Most security breaches involve a buffer overrun in one of these server programs. So obviously, Linux and BSD systems should be equally vulnerable (or safe) w.r.t. remote exploits...
As many have pointed out in other threads, the ratio of competent/incompetent Linux admins is higher than the competent/incompetent BSD admins ratio. This is sad, but true. It is not because Linux is bad or hard to manage, it's simply because Linux is much more popular than BSD. Newbie admins will seldom start with BSD, so they make their mistakes on Linux boxes first. Some of them may grow up tried of all the different idiosyncraties of Linux distros, and try BSD. A few may even like it and stick to it. But the point here is that your average BSD admin is already experienced with Linux systems, whereas the bulk of Linux admins won't.
Linux or BSD are both great systems, but they can be really dangerous in the hands of the inexperienced.
DISCLAIMER: I'm a senior FreeBSD sysadmin since 2.0, but I'm also managing a farm of misc. Linux variants since kernel 0.99 in high risk secure environments. I like both systems very much, so I tend to dislike stupid over-generalizations a la BSD is more secure than Linux (even if it is true, for the reasons explained above).
cpghost at Cordula's Web.
I'm guessing the hypocrite in you would have reared it's ugly head.
And this is a good example of discarding all the data, coming to any conclusion you wish, and then putting the onus on others to debunk your unsupported premise, which, as it happens, has no logical bearing on the argument you are attacking.
A very popular methodolgy, but not a valid one.
For purposes of bias I will point out my posting history will show that I use Windows 98, Mac System 7, Mac OS8 and various flavors of Linux at the moment, but have a very strong preference for Linux for explicitly stated reasons, some of which relate directly to the deleted data in this study, some of which do not. You'll find that my position is at least unbiased enough that I have been accused of being both an MS lackey and a Linux zealot, although I don't recall that I've ever been accused of being a Mac head. I have never so much as sat at a BSD terminal or an OSX box, although I would have no particular objection to doing so, it would be fun, and I am inclined to believe that BSD is more secure than the majority of Linux distros at the moment.
If you wish to debunk this you will have to do your own homework in finding evidence to the contrary.
Ad hominem strawman arguments will be promptly and cheerfully ignored.
KFG
As seen in the netcraft FAQ : Since the last server of the top 50 have an uptime of 1073 days, there's no way a Linux box could be in the list.
Great, yet another brain-damaged research that considers Linux an OS, and talks as if all Linux distributions were identical in terms of out-of-the-box security and ease of applying security updates. Hell, if we ever asked those morons what Linux distro they used to compute their Linux results, I bet they would say "uh... Linux 9.0 ?"
You are as safe as you make your server/system to be. If you don't patch you will get hacked and will not be safe. Same goes with windows, linux, Anything. Unless you have you're own OS that doesn't have patches :P. Can't stress how stupid it is NOT to put up a firewall blocking ports you really dont need open. Anything out of the box and kept that evil "default" setting Is bound to get h4x0r'd (hehe)
Uh...I haven't read all this other guy's posts. But they don't change the fact that his point here is incontrovertibly correct. Throwing out the most popular method for breaching security is a completely unacceptable way to conduct research that hopes to conclude relative security. That's pretty damn basic.
I mean, do you seriously disagree? You think this study actually shows that Linux is less secure than Windows? Even after you realize that they are ignoring SQL-slammer, Blaster, MyDoom, Nimda, Code Red...............and on and on?This is one of the most bone-headed studies I think I've ever seen. Anybody duped by this has absolutely no concept of either computer security or basic logic.
Given a choice between free speech and free beer, most people will take the beer.
Don't forget, they're also only counting Overt attacks, I.E. Verified ones... ones that leave a trace. It could very well be that all of those windows or OSX boxes were at some point Owned, but that the attack was so successful as to not leave a trace. It also requires "modification to any of its publicly visible components whilst executing...data attacks... [or] command and control attacks."
They also don't list their methodology, which I find disturbing. Out of 17k successful, caught, non-automatic hacks, x were against these systems. However, they don't say where those 17k come from, and don't put it in the perspective of the percentage of those systems in use. If you go to their homepage, they list something called a SIPS (Security Intelligence Products and Systems) System. This data comes from "Personal Relationships at CEO, CFO, CIO, CISO level within the banking, insurance, and reinsurance industry... monitoring hacker bulletin boards... and anonymous communication channels." That's a pretty unscientific pool to be pulling data from. Essentially, you're talking about hacks that were either reported by friends in high places, friends in low places, or bragged about by hackers on publicly accessible bbses.
So if you want to take the survey methodology seriously, then the survey proves beyond a shadow of a doubt that Linux has more non-automated attacks involving changing publicly accessible interfaces that were caught and reported by friends to mi2g.
The ______ Agenda
1. They failed to mention that these are >REPORTED breaches. Most organizations do not report breaches.
2. They did not normalize against the sample population for each OS, but simply reported raw numbers. Statistical crap.
3. No categorization of breach types. (root, user, etc.)
4. From what sources were their data derived?
In short, this "report" is bullshit and tells nothing of interest.
"Computers are useless. They can only give you answers."
-- Pablo Picasso
> Windows users are less likely to run a webserver,
> simply because they're not as eager to play with
> their system as Linux users. Therefore there
> will be less insecure Windows servers. The same
> goes for Mac-OS users.
The study was talking about servers. So your comment about Windows users being less likely to run a webserver makes no sense whatsoever. In terms of the study, they are every bit as likely to be running a webserver.
Linux users have to face the facts when addressing this matter and not bury their heads in the sand. There are any number of Linux users who don't even know what inetd and tcpwrappers are let alone bugtraq and cert or how to upgrade their systems and keep them secure or how to write PHP scripts with bounds checking.
Until that changes Linux boxes are going to continue to be broken into wholesale.
The reaction to this story on here reminds me of when Apache and IIS were put head to head in some study and there was wholesale denial that IIS could outperform Apache. The Apache team recognised there was a problem though and set about improving their software. This is what Linux users have to do now.
Whilst the study may be flawed and the company that did it may have an agenda, 13000+ Linux break-ins in a year should be serious cause for concern.
Folks, please face the facts even if they are unpleasant and improve the software and more importantly improve the education of the user base.
The Machine stops.
It is time to stop the religuous falme wars about "my OS is more secure than your OS".
We all know Windows has bugs, becuase people revel in revealing Microsoft's weaknesses. Hackers love to attack Windows because it is ubiquitous and so it is also the most attacked.
What this report points out, with all its flaws, is the the Linux system has problems too. Linux supporters have turned a blind eye to this and have loudly trumpted Linux as secure, while Windows is not. This simply wasn't true, but made Linux supporters feel goos about themselves. And even if it is a bit better, that isn't the point.
There will be bugs in Linux and Windows and other OS'es as long as new development continues. Further, as long as humans adminster the boxes, admins will do silly things and create vulnerabilities.
Just one bit that I'd say this is not quite on the mark in this closing statement: Windows makes it easy to patch a machine for the consumer, one box at a time; they make it easy for corporate customers with tools that can push updates onto boxes (although the required reboots are an issue unto themselves). Please correct me if I'm wrong, but I'd venture a guess that the issue is that you don't have these tools because they cost money that isn't easy to justify for the number of Windows servers you have.
The major problem as I see is is exactly what another poster stated -- that vulnerabilities may exist for months before a patch becomes available from Microsoft, and we may not be informed of them in a timely manner. The sheer number of ways that a Windows machine may be vulnerable for variable periods of time seems to me to be orders of magnitude greater than any Open Source package or the Linux kernel itself.
The ease of patching vs. the costs of doing so is a very valid reason (among many, obviously) for choosing one operating system over another. But to me it's far more important to know when a vulnerability exists and when a patch will be available. Windows loses in this regard, hands down.
Disclaimer: IANASBIPTBOOS
- Leo
You don't use science to show that you're right, you use science to become right.
The usage patterns and target market/audience for these operating systems are very different.
There are huge variations in security between
- a Linux box set up by a novice student
- a Solaris system participating in a cluster serving a major consumer website
- a Mac OS X Server machine running stock network services for a graphic design firm
I'd like to hear more about how they accounted for these differences before I make up my mind.org.slashdot.post.SignatureNotFoundException: ewg
..not that this means you don't have to patch your box. But all major distros these days make that really painless. Or at least a lot less painful than Windows.
/usr/share/rhn/RPM-GPG-KEY
/usr/share/rhn/RPM-GPG-KEY
/usr/share/rhn/RPM-GPG-KEY
I disagree with that from personal experience. On Windows - Control Panel, automatic updates - enable. That's it.
Fedora from GUI:
Run up2date
Be told you are not registered. Click ok.
Choose what updates you want. Select all, start the process.
Process freezes either before it starts, during, or near the end, OR you are told a package has been tampered with (when really it's just corrupt). Solution: patch one package at a time (which is a $@ing PAIN in the arse). I have Fedora boxen unpatched simply because the patch system is fsck'd.
Fedora from command line:
[root@dredd root]# up2date
Your GPG keyring does not contain the Red Hat, Inc. public key. Without it, you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat.
Your Update Agent options specify that you want to use GPG.
To install the key, run the following as root:
rpm --import
[root@dredd root]# rpm --import
[root@dredd root]#
[root@dredd root]# up2date
Your GPG keyring does not contain the Red Hat, Inc. public key. Without it, you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat.
Your Update Agent options specify that you want to use GPG.
To install the key, run the following as root:
rpm --import
[root@dredd root]#
Yeah - MUCH easier than Windows. Not.
I like how the very first post discounts the point of this article right off by saying, sure, maybe linux got attacked successfully a lot, but what about all the other attacks that would've succeeded on Windows?
Come on, people. The fact is, the linux boxes got attacked successfully. That's a Bad Thing, regardless of what happened to Windows. It's an embarrassing thing for us linux people. Here's the real rub...
I've read studies over several years saying that linux boxes are nearly as secure as FreeBSD installations if the administrator sets up the environment properly . The results of the slashdotted study here is the result of the RTFM culture...hard to operate and administer, very little respect for the user in the design of the OS as a whole. I mean "respect" in the sense of "let's make this trivially easy to use because it's possible and respect the user's time" rather than "let's respect the user's intellect by reasoning they'll figure out how to work this thing no matter how ridiculously complicated we make it."
This study ought to convince all the people out there that don't worry about linux being too hard to use...it's affecting everyone, not just newbies. Not just dummies. Even admins can't set up a secure box. We have to keep working on usability folks. Fact is linux is more potentially secure than Windows--but not in practice because no one can figure out how to lock it down.
sev
but have you considered the following argument: shut up.
The reason OSX (workstations) are so secure is all services are turned off by default. Definitely a good security strategy. And it's hard to turn the stuff on (no prominent shiny, candy-like buttons to enable them)
But even if those potentially dangerous services are enabled (DNS, sendmail), they're less likely to be cracked because most cracks use buffer overruns that are intel specific code injections.
Intel has been around for 20 years, which means 20 years of people learning assembly, and mature, asswiping documentation on every detail of the processor. And also, long evolved cracking documents/tools.
Where as OSX has only been around a few years. And at the time it came out, many tools (DNS, sendmail) had already become security aware. Viruses had already been running rampant, so Apple was able to start at a point where security issues could be worked into the design. Also, when OSX came out, few people cared about assembly anymore. In the 80's it was necessary, but now, it is less so.
At this particular point in time, if an OSX box and linux box are each running the same buggy version of DNS (the one that had the buffer overrun loophole), surely only the linux box will get rooted, because the rootkits are mostly intel specific. The initial rooting of a machine usually involves an assembly level attack with a buffer overrun.
So it's not even an open source issue; DNS is open source. It's the same code on both platforms. But because Mac's OSX platform hasn't been around for long, is one reason there aren't popular rootkits for it. But if there is one, then it's just a matter of time and desire on the part of crackers.
One thing Mac also has going for it is OSX (workstation) the day it was released, by default had all services disabled. So it's a pretty tough box to crack from day one; even if grandma turns on her new OSX box for the first time, it will likely be more secure than a linux box configured by a seasoned admin setting up linux for the first time. (weeks later: "What, sendmail and portmapper are running? I didn't turn those on!")
So there is less desire to even try to crack a platform that has no services to crack to begin with.
However, with OSX *server* being a bit more recent, eventually cracks may become more desirable because that will have attackable services. But someone will have to learn assembly for the Mac to implement the buffer overrun attacks. And it may take a few years before that becomes as popular as linux rootkits.
It would be good if the Linux distros made it harder for first time users setting up webservers to accidentally leave on useless services like NFS, portmapper, and all those daemons internet servers don't need (lpd, yp, linuxconf, auto-updaters).
Hmm, I wonder what services were enabled on the article's test machines. I guess it wouldn't matter, because an intel buffer overrun injection on a Mac just won't fly.
I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than Windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, I'm going to say this just be cause no one else will. Suppose Linux simply is less secure than windows. I have been hearing the opposite from the slashdot crowd with no information to back themselves up. They simply state that because it's open source, it must be more secure.
Then when information proves otherwise, they say things like, they may have been the most targeted or Linux is over-represented as a target of hacking because there is so much low hanging fruit out there
Modding this as Flamebait only proves how Linux-centric Slashdot is.
Every time some evidence of any UNIX, and especially Linux, being unsecure comes up there are people declaring that the evidence is faulty because UNIX is secure...
Though this will propably be moderated as flamebait I must say that if you take the same care to secure your windowsboxes as you do with your UNIXboxes you will be rewarded with, surprise, secure boxes all over. Windows isn't inherently insecure as well as UNIX secure.