Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study Recommends Mac OS X as Safest OS

Posted by michael on from the safety-first dept.

rocketjam writes "The British security firm mi2g has concluded a comprehensive 12-month study to identify the safest 24/7 computing environment. In the end, the open source BSD and Mac OS X came out on top with the fewest security breaches against permanently connected machines worldwide in homes, small businesses, large enterprises and governments. The study found Linux to be the most breached environment 'in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded'. Windows was the most breached environment in government computing and led Linux, BSD and Mac OS X by far in economic damage caused by breaches." We mentioned their previous study too. As before, the study ignores the thousands of automatically-spreading viruses for Windows.

23 of 370 comments (clear)

  1. Why isn't BSD in the title? by Anonymous Coward · · Score: 5, Insightful

    It's ranked as safest, too.

    1. Re:Why isn't BSD in the title? by slinky259 · · Score: 3, Insightful

      My guess is A) To keep the title short and sweet B) Giving OS X an edge (conciously or not) because of its "underdog" status C) Poster doesn't like BSD?

  2. Which BSD? by Benanov · · Score: 3, Insightful

    The study doesn't specify which BSD distribution they used, besides OS X (Darwin). I guess you could say "all of them" but c'mon, you just can't leave out details like that.

    1. Re:Which BSD? by arminw · · Score: 3, Insightful

      ...talking about servers...

      They were also talking about desktop users in small businesses and homes with a fast, always on Internet connection. Out of the box, Macs come with most network software turned off, which makes them less vulnerable. Still, a well social engineered trojan can infect any system, if the user can be tricked into running the malware and giving or having the needed admin privileges to allow installation. No Mac is vulnerable to any of the self installing malware programs that will destroy or zombiefy a Windows box, sometimes in minutes after being connected to the Internet. I don't think it is possible to write a self-infecting malware for a Mac that doesn't require user interaction.

      --
      All theory is gray
  3. Manual breaches... by GreyWolf3000 · · Score: 4, Insightful

    That's a software issue. Most people manually breaching systems are nmapping, finding services that are vulnerable, and exploiting them.

    Furthermore, unlike worms, crackers might not know what operating system the site is running until they attempt to infiltrate it. It's not like people go looking for Linux boxes randomly.

    I think that the argument that Linux is installed on more target machines than the other operating systems is acceptible here, even though it is somewhat fallacious when it is used to defend Windows security against automated attacks like viruses and worms.

    --
    Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
  4. What abour Market Share?? by datbox · · Score: 3, Insightful

    Does this article take into account the market share of all of these platforms? I browsed TFA and it didn't look like it did. Ofcourse if few people use osx as a server, it would result in few hacked boxes.

  5. Oh Dear God by Anonymous Coward · · Score: 5, Insightful

    This study is pretty much useless. Essentially what they're reporting is that of all manual hacker attacks that are successful, most of them happen on Linux, and Mac OS has the least of them. This does not mean that Mac OS is more secure. It may simply mean that Mac OS is less often attacked, or the MAc OS is less often used in 24/7 environments.

    Show us a report studying attempts/successful attempts ratio, and it might actually mean something.

  6. Fun with percentages by rackhamh · · Score: 5, Insightful

    Wouldn't it be more useful to provide statistics on the percentage of *each environment* that suffered breaches -- e.g., 17% of Linux machines suffered breaches, 28% of Windows machines, 19% of OS X machines?

    Unless I've misread the article (which is possible), the numbers they provide don't seem to take into account the *prevalence* of each environment.

    1. Re:Fun with percentages by CrankyFool · · Score: 4, Insightful

      Good idea. This is why plane crashes per airline usually are reported either in relation to passenger miles (X deaths per Y passenger miles) or in relation to takeoff/landings, since they're the least safe (X deaths per Y take-off/landing).

      Personally, I'd like hacks to be reported in relation to hours in operation per year -- so if you've got two Linux servers up and one gets hacked once, you get 1:17532. It's probably reasonable, given that we can assume most servers are just going to be up all the time, to simplify this to hacks per operational systems out there.

      (I still think it's somewhat bogus to dismiss out of hand the "more virii are created on Windows because it's more popular" approach while using exactly the same approach to explain why people hack Linux systems. If Windows remained the easiest system in the world to compromise but only had a .5% marketshare, I think we'd be seeing far fewer worms and virii developed for it)

  7. Re:Isn't it the least used? by BlaKnail · · Score: 5, Insightful

    Yes, you are wrong to think this.

    First, the study shows linux subject to the most manual attacks. That doesn't jive with your logic.

    Also, see the oft repeated marketshare of webservers. Apache is by far the most used, but subject to far less attacks than IIS.

  8. Logical fallacy by daveschroeder · · Score: 5, Insightful

    I know you're just joking, but for others who actually believe this, it bears repeating:

    If that were true, then apache would have the most exploits of any web server, since it has the greatest market share. However, that is not the case: Microsoft IIS is by far the most exploited web server, with only around 20% marketshare.

    Additionally, lesser marketshare does not automatically imply anything with regard to security. Sure, it's *targeted* less, and people might spend less time attacking it, but that does not mean it is less secure. In fact, there are numerous technical, design, and architectural reasons that, e.g., Mac OS X is more secure than Windows. A few examples would be: no ports or services open by default, services that are used are likely to be open source services like apache and OpenSSH which receive in intense scrutiny so that theoretical holes are closed before they become practical ones, there are more layers of abstraction between an email attachment and it actually becoming a meaningful exploit, prompting and notification for administrative-level or elevated privileges, less likelihood of standardization on a single email client reducing the exposure of a single point of attack, etc.

    And sure, marketshare helps too, in terms of things like the statistical likelihood of the next host encountered/scanned by a piece of Mac OS X malware also being Mac OS X. But that's no where near the whole story.

    1. Re:Logical fallacy by evilmousse · · Score: 3, Insightful


      You're absolutely correct. The joke was exactly that: presuming a 1:n relationship between #ofUsers and #ofExploits. This more truly would be a measure of how appetizing the platform is to black-hats. There are naturally far more variables in that equation, most especially how well the platform has been designed, but we who feel "all bugs are shallow given enough eyes" should be conscious "all platforms have exploits, given enough eyes". ..wow, that was the fastest i've ever been modded down ^_^;;;

  9. The manual Linux breeches are significant though.. by StressGuy · · Score: 5, Insightful

    I've been tinkering off and on with Linux for a while now and I'm by no means an expert. About a year or so ago, I got the Knoppix liveCD and did a hard install with it, making it essentially a mixture of Debian stable/testing/SID. Anyway, one day I fire up Quake and, instead of the normal music, it's playing this "We are the Animals" crap. The startup script even says, "This version of Quake has been hacked". I try to install Bastille but can't quite get it to work on this mixed-Debian install. I also can't un-install it.

    So, now I'm using SuSE - mainly because it has built in security functions and is easier to configure. I kinda wish I could just go with something like Slackware and set all of it up myself, but I have limited tinkering time these days.

    I suspect that a growing population on non-expert Linux users could be a potential security vulnerability.

    --
    A goal is a dream with a deadline
  10. Re:Before people go nuts... by geoffspear · · Score: 4, Insightful
    How dare you try to prevent slashdot users from going nuts!?

    The problem with this study isn't that it can been seen to say that Windows is more secure than Linux (which it doesn't say, specifically denies it's saying it, but with Linux users will think it's saying and flame away).

    The problem is that they claim to be trying to find the "most secure" OS, and then look at the % of total attacks against each type of system instead of the average per installation of each type. If I set up 5 insecure "A" machines and 100 more secure "B" machines, and find that there were 5 attacks against the A machines and 20 against the B machines, I can conclude that the B machines are least secure because they account for 80% of attacks, or that A machines are least secure because they're attacked 100% of the time vs. 20% of the time. The raw numbers are completely meaningless in the context they're presented in, and the "news alert" itself show they're either intentionally misleading people or they're incompetent and need to hire a statistician with a big clue stick.

    By the way, I do think the BSDs are probably "more secure", as they claim, but their methodology makes me ashamed to share their opinions.

    --
    Don't blame me; I'm never given mod points.
  11. Re:Isn't it the least used? by lukewarmfusion · · Score: 4, Insightful

    Linux is often quoted as having a larger marketshare than Mac OS.

    Regardless, you can certainly look at the users for the source of these numbers. I think it's harder for a Windows XP desktop user to "get hacked" than a Linux user. Why? Because Linux operating systems, with all their power and flexibility, can be compromised because it's easy to make a mistake. I'm sure you know users that run as root and do all kinds of ridiculous things. Does that mean Linux is insecure? No.

    Likewise, I'd point at Windows desktop users and ask - "do you know if you've ever been hacked?" Everyone wants to say no, but most people have no idea how to tell. Or what counts as a hack. So how will you measure the number of attacks? If you ask a Linux user, I think you're immediately more likely to get an educated response because the users are generally more attuned to their computers and how they work.

    It's hard to take a report like this very seriously because it has to overcome some fundamental issues.

  12. Re:Before people go nuts... by mitchus · · Score: 4, Insightful

    This is likely because of the great number of Linux servers,

    Indeed. I wonder about the relevance of absolute figures in such a study. I mean, I can top all these amateurs with my own home-made kernel Skimpy, 0 breaches recorded (fact that I am the sole user intentionally omitted)

  13. Re:Sure, but... by Jucius+Maximus · · Score: 3, Insightful
    "Most Mac users are professionals and are reasonably aware of the dangers of downloading and executing evil software. If the Mac had as large a base of clueless users as Windows does there would be a lot more evil stuff targeted towards them. There's just no good reason to spend a lot of effort targeting Macs."

    I think it has to do with the fact that there is much malware written for OS X, and that the OS Security model is better to begin. There is no root account and there are no ports open by default.

  14. Think of the prestige! by slinky259 · · Score: 5, Insightful

    It's been widely repeated by many of my compatriots that Macs are simply more secure because they have a tiny user base. However, hacker culture is based on egos, correct? Imagine the fame one could gain by creating a virus that infects Macs too - they'ed be able to smash the "Macs don't get virii(?)" claim and they would get attention - for some people, good or bad doesn't matter.

    I'm sure a Mac virus for OS X has at the very least been attempted. Why hasn't it succeeded at spreading all around?

    OS X really is more secure

  15. Meaningless by poptones · · Score: 4, Insightful

    I saw this earlier from a link at osnews (yeah, I know). I was a little surprised it hadn't been mentioned here until I read the article. The site comes across as just another of those l337 haxor orgs trying to "go legit." Lots more disclaimers like that one blaming "people with agendas" writing bad press and even blaming the search engines for linking to it and helping spread the evil word. A "news" page linking to all their press releases where they quote themselves a lot.. oh boy, that's impressive.

    Anyway, just in the last fews days I can think of at least one exploit requiring users of real player (on ANY platform) to "update their software" lest they be rooted by a malicious video stream. Previous hacks mentioned in the article were related to both Real and Quicktime being vulnerable to malicious skins.

    Since I don't use either of these pieces of crapware I guess I'm 100% safer than everyone else and I don't have to worry about being rooted - because, after all, it's just bad software that makes you vulnerable, not being a warez whore and installing every piece of shit toy on your system that catches your eye.

    1. Re:Meaningless by Steve+Cowan · · Score: 3, Insightful
      Previous hacks mentioned in the article were related to both Real and Quicktime being vulnerable to malicious skins.
      When did QuickTime ever have skins?
  16. Re:Before people go nuts... by Minwee · · Score: 3, Insightful

    And even before people go nuts over that, remember that this is mi2g we're talking about. They are to a reputable security firm what two Wisconsin state troopers having a donut are to the Berlin Wall in 1980.

  17. Re:Before people go nuts... by Brandybuck · · Score: 5, Insightful

    This is likely because of the great number of Linux server

    Wait! Everytime Microsoft makes this argument in defense of Windows shoddy security, Slashdot laughs them down. Suddenly the argument is valid for Linux?

    --
    Don't blame me, I didn't vote for either of them!
  18. Re:Before people go nuts... by geoffspear · · Score: 4, Insightful
    Umm, no, it's because their methodology is a load of unscientific garbage, and it's obvious that the people who wrote the study don't have even the most basic understanding of statistics or scientific method. My disagreement with the methodology has nothing at all to do with their conclusions, and everything to do with how they reached them.

    I'd feel the same about someone who said that evolution was a better theory than creationism, and went on to "prove" it with fake fossils they made in their basement. Being right for the wrong reasons is just as bad as being wrong.

    --
    Don't blame me; I'm never given mod points.