Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Recommends Mac OS X as Safest OS

Posted by michael on from the safety-first dept.

rocketjam writes "The British security firm mi2g has concluded a comprehensive 12-month study to identify the safest 24/7 computing environment. In the end, the open source BSD and Mac OS X came out on top with the fewest security breaches against permanently connected machines worldwide in homes, small businesses, large enterprises and governments. The study found Linux to be the most breached environment 'in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded'. Windows was the most breached environment in government computing and led Linux, BSD and Mac OS X by far in economic damage caused by breaches." We mentioned their previous study too. As before, the study ignores the thousands of automatically-spreading viruses for Windows.

34 of 370 comments (clear)

  1. Why isn't BSD in the title? by Anonymous Coward · · Score: 5, Insightful

    It's ranked as safest, too.

    1. Re:Why isn't BSD in the title? by slinky259 · · Score: 3, Insightful

      My guess is A) To keep the title short and sweet B) Giving OS X an edge (conciously or not) because of its "underdog" status C) Poster doesn't like BSD?

  2. Which BSD? by Benanov · · Score: 3, Insightful

    The study doesn't specify which BSD distribution they used, besides OS X (Darwin). I guess you could say "all of them" but c'mon, you just can't leave out details like that.

    1. Re:Which BSD? by arminw · · Score: 3, Insightful

      ...talking about servers...

      They were also talking about desktop users in small businesses and homes with a fast, always on Internet connection. Out of the box, Macs come with most network software turned off, which makes them less vulnerable. Still, a well social engineered trojan can infect any system, if the user can be tricked into running the malware and giving or having the needed admin privileges to allow installation. No Mac is vulnerable to any of the self installing malware programs that will destroy or zombiefy a Windows box, sometimes in minutes after being connected to the Internet. I don't think it is possible to write a self-infecting malware for a Mac that doesn't require user interaction.

      --
      All theory is gray
  3. Manual breaches... by GreyWolf3000 · · Score: 4, Insightful

    That's a software issue. Most people manually breaching systems are nmapping, finding services that are vulnerable, and exploiting them.

    Furthermore, unlike worms, crackers might not know what operating system the site is running until they attempt to infiltrate it. It's not like people go looking for Linux boxes randomly.

    I think that the argument that Linux is installed on more target machines than the other operating systems is acceptible here, even though it is somewhat fallacious when it is used to defend Windows security against automated attacks like viruses and worms.

    --
    Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
  4. What abour Market Share?? by datbox · · Score: 3, Insightful

    Does this article take into account the market share of all of these platforms? I browsed TFA and it didn't look like it did. Ofcourse if few people use osx as a server, it would result in few hacked boxes.

  5. Oh Dear God by Anonymous Coward · · Score: 5, Insightful

    This study is pretty much useless. Essentially what they're reporting is that of all manual hacker attacks that are successful, most of them happen on Linux, and Mac OS has the least of them. This does not mean that Mac OS is more secure. It may simply mean that Mac OS is less often attacked, or the MAc OS is less often used in 24/7 environments.

    Show us a report studying attempts/successful attempts ratio, and it might actually mean something.

  6. Just buy a mac :-) by Anonymous Coward · · Score: 0, Insightful

    The ease of use of a Windows machine.
    Microsoft Office.
    Internet Explorer.
    Open Source.
    The fastest PC.
    The first 64 bit PC.
    DRM Ipod attachment.

    And now, the most secure computer!

    'Nuff said.

    Just buy a Mac :-)

  7. Fun with percentages by rackhamh · · Score: 5, Insightful

    Wouldn't it be more useful to provide statistics on the percentage of *each environment* that suffered breaches -- e.g., 17% of Linux machines suffered breaches, 28% of Windows machines, 19% of OS X machines?

    Unless I've misread the article (which is possible), the numbers they provide don't seem to take into account the *prevalence* of each environment.

    1. Re:Fun with percentages by CrankyFool · · Score: 4, Insightful

      Good idea. This is why plane crashes per airline usually are reported either in relation to passenger miles (X deaths per Y passenger miles) or in relation to takeoff/landings, since they're the least safe (X deaths per Y take-off/landing).

      Personally, I'd like hacks to be reported in relation to hours in operation per year -- so if you've got two Linux servers up and one gets hacked once, you get 1:17532. It's probably reasonable, given that we can assume most servers are just going to be up all the time, to simplify this to hacks per operational systems out there.

      (I still think it's somewhat bogus to dismiss out of hand the "more virii are created on Windows because it's more popular" approach while using exactly the same approach to explain why people hack Linux systems. If Windows remained the easiest system in the world to compromise but only had a .5% marketshare, I think we'd be seeing far fewer worms and virii developed for it)

  8. Re:Isn't it the least used? by BlaKnail · · Score: 5, Insightful

    Yes, you are wrong to think this.

    First, the study shows linux subject to the most manual attacks. That doesn't jive with your logic.

    Also, see the oft repeated marketshare of webservers. Apache is by far the most used, but subject to far less attacks than IIS.

  9. Logical fallacy by daveschroeder · · Score: 5, Insightful

    I know you're just joking, but for others who actually believe this, it bears repeating:

    If that were true, then apache would have the most exploits of any web server, since it has the greatest market share. However, that is not the case: Microsoft IIS is by far the most exploited web server, with only around 20% marketshare.

    Additionally, lesser marketshare does not automatically imply anything with regard to security. Sure, it's *targeted* less, and people might spend less time attacking it, but that does not mean it is less secure. In fact, there are numerous technical, design, and architectural reasons that, e.g., Mac OS X is more secure than Windows. A few examples would be: no ports or services open by default, services that are used are likely to be open source services like apache and OpenSSH which receive in intense scrutiny so that theoretical holes are closed before they become practical ones, there are more layers of abstraction between an email attachment and it actually becoming a meaningful exploit, prompting and notification for administrative-level or elevated privileges, less likelihood of standardization on a single email client reducing the exposure of a single point of attack, etc.

    And sure, marketshare helps too, in terms of things like the statistical likelihood of the next host encountered/scanned by a piece of Mac OS X malware also being Mac OS X. But that's no where near the whole story.

    1. Re:Logical fallacy by evilmousse · · Score: 3, Insightful


      You're absolutely correct. The joke was exactly that: presuming a 1:n relationship between #ofUsers and #ofExploits. This more truly would be a measure of how appetizing the platform is to black-hats. There are naturally far more variables in that equation, most especially how well the platform has been designed, but we who feel "all bugs are shallow given enough eyes" should be conscious "all platforms have exploits, given enough eyes". ..wow, that was the fastest i've ever been modded down ^_^;;;

    2. Re:Logical fallacy by evilmousse · · Score: 2, Insightful


      I don't see activism as the primary goal of the majority of windows exploits. Most seem to be greed or mischief. Am I wrong?

  10. Re:Isn't it the least used? by Fearless+Freep · · Score: 2, Insightful

    Windows and Unix come from completely different histories and completly different design philosophies with different views on multiuser systems, networking, etc..

    I don't think it's possibe to really say that Unx (or Linux or OS/X) would be just as vulnerable as Windows if they had more users and were therefore bigger targets.

  11. numbers without data to back it up by Anonymous Coward · · Score: 1, Insightful
    Overall the results may be fair,
    but I for one would like to see some details on their methodology...

    Which kind of service were exposed?

    Which exploits were used, etc...


    Leaving telnet enabled with default passwords is just as dumb not filtering ports 445/135/etc.


    But as usual with mi2g, big headlines, without anything to back them up!

  12. The manual Linux breeches are significant though.. by StressGuy · · Score: 5, Insightful

    I've been tinkering off and on with Linux for a while now and I'm by no means an expert. About a year or so ago, I got the Knoppix liveCD and did a hard install with it, making it essentially a mixture of Debian stable/testing/SID. Anyway, one day I fire up Quake and, instead of the normal music, it's playing this "We are the Animals" crap. The startup script even says, "This version of Quake has been hacked". I try to install Bastille but can't quite get it to work on this mixed-Debian install. I also can't un-install it.

    So, now I'm using SuSE - mainly because it has built in security functions and is easier to configure. I kinda wish I could just go with something like Slackware and set all of it up myself, but I have limited tinkering time these days.

    I suspect that a growing population on non-expert Linux users could be a potential security vulnerability.

    --
    A goal is a dream with a deadline
  13. Re:Before people go nuts... by geoffspear · · Score: 4, Insightful
    How dare you try to prevent slashdot users from going nuts!?

    The problem with this study isn't that it can been seen to say that Windows is more secure than Linux (which it doesn't say, specifically denies it's saying it, but with Linux users will think it's saying and flame away).

    The problem is that they claim to be trying to find the "most secure" OS, and then look at the % of total attacks against each type of system instead of the average per installation of each type. If I set up 5 insecure "A" machines and 100 more secure "B" machines, and find that there were 5 attacks against the A machines and 20 against the B machines, I can conclude that the B machines are least secure because they account for 80% of attacks, or that A machines are least secure because they're attacked 100% of the time vs. 20% of the time. The raw numbers are completely meaningless in the context they're presented in, and the "news alert" itself show they're either intentionally misleading people or they're incompetent and need to hire a statistician with a big clue stick.

    By the way, I do think the BSDs are probably "more secure", as they claim, but their methodology makes me ashamed to share their opinions.

    --
    Don't blame me; I'm never given mod points.
  14. Re:Isn't it the least used? by lukewarmfusion · · Score: 4, Insightful

    Linux is often quoted as having a larger marketshare than Mac OS.

    Regardless, you can certainly look at the users for the source of these numbers. I think it's harder for a Windows XP desktop user to "get hacked" than a Linux user. Why? Because Linux operating systems, with all their power and flexibility, can be compromised because it's easy to make a mistake. I'm sure you know users that run as root and do all kinds of ridiculous things. Does that mean Linux is insecure? No.

    Likewise, I'd point at Windows desktop users and ask - "do you know if you've ever been hacked?" Everyone wants to say no, but most people have no idea how to tell. Or what counts as a hack. So how will you measure the number of attacks? If you ask a Linux user, I think you're immediately more likely to get an educated response because the users are generally more attuned to their computers and how they work.

    It's hard to take a report like this very seriously because it has to overcome some fundamental issues.

  15. Re:Before people go nuts... by mitchus · · Score: 4, Insightful

    This is likely because of the great number of Linux servers,

    Indeed. I wonder about the relevance of absolute figures in such a study. I mean, I can top all these amateurs with my own home-made kernel Skimpy, 0 breaches recorded (fact that I am the sole user intentionally omitted)

  16. Re:Sure, but... by Jucius+Maximus · · Score: 3, Insightful
    "Most Mac users are professionals and are reasonably aware of the dangers of downloading and executing evil software. If the Mac had as large a base of clueless users as Windows does there would be a lot more evil stuff targeted towards them. There's just no good reason to spend a lot of effort targeting Macs."

    I think it has to do with the fact that there is much malware written for OS X, and that the OS Security model is better to begin. There is no root account and there are no ports open by default.

  17. Think of the prestige! by slinky259 · · Score: 5, Insightful

    It's been widely repeated by many of my compatriots that Macs are simply more secure because they have a tiny user base. However, hacker culture is based on egos, correct? Imagine the fame one could gain by creating a virus that infects Macs too - they'ed be able to smash the "Macs don't get virii(?)" claim and they would get attention - for some people, good or bad doesn't matter.

    I'm sure a Mac virus for OS X has at the very least been attempted. Why hasn't it succeeded at spreading all around?

    OS X really is more secure

  18. Meaningless by poptones · · Score: 4, Insightful

    I saw this earlier from a link at osnews (yeah, I know). I was a little surprised it hadn't been mentioned here until I read the article. The site comes across as just another of those l337 haxor orgs trying to "go legit." Lots more disclaimers like that one blaming "people with agendas" writing bad press and even blaming the search engines for linking to it and helping spread the evil word. A "news" page linking to all their press releases where they quote themselves a lot.. oh boy, that's impressive.

    Anyway, just in the last fews days I can think of at least one exploit requiring users of real player (on ANY platform) to "update their software" lest they be rooted by a malicious video stream. Previous hacks mentioned in the article were related to both Real and Quicktime being vulnerable to malicious skins.

    Since I don't use either of these pieces of crapware I guess I'm 100% safer than everyone else and I don't have to worry about being rooted - because, after all, it's just bad software that makes you vulnerable, not being a warez whore and installing every piece of shit toy on your system that catches your eye.

    1. Re:Meaningless by Steve+Cowan · · Score: 3, Insightful
      Previous hacks mentioned in the article were related to both Real and Quicktime being vulnerable to malicious skins.
      When did QuickTime ever have skins?
  19. Re:Before people go nuts... by Minwee · · Score: 3, Insightful

    And even before people go nuts over that, remember that this is mi2g we're talking about. They are to a reputable security firm what two Wisconsin state troopers having a donut are to the Berlin Wall in 1980.

  20. same problem as last year by harlows_monkeys · · Score: 2, Insightful
    This study has the same problems as last year's. All it is reporting is the total number of breachers per system.

    First problem: what is a breach? If someone takes down a hosting company's Linux server that is hosting 5000 domains, and someone else takes down a Windows box with one domain and an OS X box with one domain, is that counted as 5000 Linux breaches, 1 Windows breach, and 1 OS X breach, or is it 1 breach of each OS?

    Second problem: total number of breaches is a pointless number to look at by itself. For example, if you had 100 Windows servers and 1000 Linux servers, and you had 50 of the Windows server breached and 100 of the Linux servers breached, that would be a 50% breach rate for Windows and a 10% breach rate for Linux. But the way Mi2G reports it they would say 33% of the breaches were on Window and 67% on Linux, so Windows is twice as secure.

  21. Re:Before people go nuts... by Brandybuck · · Score: 5, Insightful

    This is likely because of the great number of Linux server

    Wait! Everytime Microsoft makes this argument in defense of Windows shoddy security, Slashdot laughs them down. Suddenly the argument is valid for Linux?

    --
    Don't blame me, I didn't vote for either of them!
  22. Re:I doubt this by Anonymous Coward · · Score: 1, Insightful

    They don't all ship with the same settings "out of the box" though, which is why OS X is the more secure OS.

  23. Re:Before people go nuts... by jc42 · · Score: 2, Insightful

    ... doesn't MS still have the majority of market share in the server market?"

    According to Netcraft Apache has the biggest web presence.

    If you read the words carefully, they can be saying the same thing. This is a case where you have to read with your skeptometer turned to High. Look carefully at the exact words, and ask yourself what exactly they mean.

    Microsoft has long claimed that IIS is the most successful commercial web server. Note that word "commercial". Apache isn't for sale; it's free from apache.org. So it's not a "commercial" web server, and it is regularly ignored in comparisons of "commercial web servers".

    The above comments are compatible in the same sense. MS can claim the majority of "market share" in the "server market", because apache isn't for sale, so it isn't part of that market. Netscape isn't counting sales; it's counting online servers. These numbers need not be closely related, especially when a major server isn't for sale.

    This is straightforward marketing technique. To avoid falling for it, you need to understand how marketers use terminology to make you think they're saying something very different from what they're actually saying.

    In brief, MS's IIS server is the most sold web server; apache is the most used web server.

    A funny example I saw recently: A box was sold with Windows XP Pro, including the IIS server (which was never used). Its disk was wiped, then linux with apache were installed. Microsoft counts this machine as Windows running IIS; Netcraft counts it as linux running apache. In "market" statistics, Microsoft is correct; in "running" statistics, Netcraft is correct.

    --
    Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  24. mig2 themselves run Redhat! by AshuBhai · · Score: 2, Insightful

    How ironic!

    Linux Apache/2.0.46 (Red Hat) 19-Oct-2004 217.154.246.214 Mistral Internet

  25. Re:Before people go nuts... by geoffspear · · Score: 4, Insightful
    Umm, no, it's because their methodology is a load of unscientific garbage, and it's obvious that the people who wrote the study don't have even the most basic understanding of statistics or scientific method. My disagreement with the methodology has nothing at all to do with their conclusions, and everything to do with how they reached them.

    I'd feel the same about someone who said that evolution was a better theory than creationism, and went on to "prove" it with fake fossils they made in their basement. Being right for the wrong reasons is just as bad as being wrong.

    --
    Don't blame me; I'm never given mod points.
  26. hence the keyword "manual" by poot_rootbeer · · Score: 2, Insightful

    As before, the study ignores the thousands of automatically-spreading viruses for Windows.

    And as before, michael just can't help adding his two cents to a story submission, rather than posting a comment in response to it like everyone else, subjecting his opinions to the moderation processes.

    If only Slashdot admins could be elected rather than appointed...

  27. Re:Before people go nuts... by bob+beta · · Score: 2, Insightful

    Linux is very much like BSD.

    Except, every 'Linux' distro has it's own userland and /etc hierarchy, all mashed together in a chaotic arrangment depending on who compiled the 'distro.'

    The Freenix BSD OSes have base systems and core userlands that arel tracked and version controlled under single organizations.

    Which makes a heck of a lot more difference than a casual Linux user would recognize.

    --
    "What's the frequency Kenneth?"
  28. Re:But according to this ... by kevingolding2001 · · Score: 2, Insightful
    I read these words:
    The Microsoft Windows application...
    and figured that this article was written by someone with no clue about computers. At that point I stopped reading.