Slashdot Mirror
Study Recommends Mac OS X as Safest OS
rocketjam writes "The British security firm mi2g has concluded a comprehensive 12-month study to identify the safest 24/7 computing environment. In the end, the open source BSD and Mac OS X came out on top with the fewest security breaches against permanently connected machines worldwide in homes, small businesses, large enterprises and governments. The study found Linux to be the most breached environment 'in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded'. Windows was the most breached environment in government computing and led Linux, BSD and Mac OS X by far in economic damage caused by breaches." We mentioned their previous study too. As before, the study ignores the thousands of automatically-spreading viruses for Windows.
...this study is talking about manual exploits, and says as much:
The study also reveals that Linux has become the most breached 24/7 online computing environment in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded, with 154,846 successfully compromised Linux 24/7 online computers of all flavours.
This is likely because of the great number of Linux servers, and the wide variety of network services and ports open to the world on such servers.
And it does, in fact, make distinct reference to Windows malware (self-propagating worms, viruses, etc.):
Malware proliferation
The recent global malware epidemics have primarily targeted the Windows computing environment and have not caused any significant economic damage to environments running Open Source including Linux, BSD and Mac OS X. When taking the economic damage from malware into account over the last twelve months, including the impact of MyDoom, NetSky, SoBig, Klez and Sasser, Windows has become the most breached computing environment in the world accounting for most of the productivity losses associated with malware - virus, worm and trojan - proliferation. This is directly the result of very insignificant quantities of highly damaging mass-spreading malware being written for other computing environments like Linux, BSD and Mac OS X.
Also interesting:
For the record, neither mi2g Ltd nor the mi2g Intelligence Unit have a business relationship with Apple Computers and we do not own any shares in that corporation. Previously, the mi2g data for one month was considered to be too small a sample and not representative of the global environment within which different types of entities - micro, small, medium and large - exist. We have addressed those concerns in the new study. The critics were against the previous study which also came out in favour of Apple and BSD, because the entrenched supporters of Linux and Windows felt that mi2g was guilty of 'computing blasphemy'. In subsequent months, mi2g's reputation was damaged on search engines and bulletin boards. We would urge caution when reading negative commentary against mi2g, which may have been clandestinely funded, aided or abetted by a vendor or a special interest group.
There are a wide variety of reasons to expect that Mac OS X is a significantly more secure computing platform than Windows in a non-server/desktop setting; this study only further confirms that.
It's ranked as safest, too.
The study doesn't specify which BSD distribution they used, besides OS X (Darwin). I guess you could say "all of them" but c'mon, you just can't leave out details like that.
That's a software issue. Most people manually breaching systems are nmapping, finding services that are vulnerable, and exploiting them.
Furthermore, unlike worms, crackers might not know what operating system the site is running until they attempt to infiltrate it. It's not like people go looking for Linux boxes randomly.
I think that the argument that Linux is installed on more target machines than the other operating systems is acceptible here, even though it is somewhat fallacious when it is used to defend Windows security against automated attacks like viruses and worms.
Slashdot: Where people pretend to be twice as smart as they really are by behaving like children.
-flamebait-
security through obscurity. Fewer AmigaOS exploits these days too.
-/flamebait-
(i'm joking.. just couldn't resist.)
Does this article take into account the market share of all of these platforms? I browsed TFA and it didn't look like it did. Ofcourse if few people use osx as a server, it would result in few hacked boxes.
This study is pretty much useless. Essentially what they're reporting is that of all manual hacker attacks that are successful, most of them happen on Linux, and Mac OS has the least of them. This does not mean that Mac OS is more secure. It may simply mean that Mac OS is less often attacked, or the MAc OS is less often used in 24/7 environments.
Show us a report studying attempts/successful attempts ratio, and it might actually mean something.
Wouldn't it be more useful to provide statistics on the percentage of *each environment* that suffered breaches -- e.g., 17% of Linux machines suffered breaches, 28% of Windows machines, 19% of OS X machines?
Unless I've misread the article (which is possible), the numbers they provide don't seem to take into account the *prevalence* of each environment.
Just like the millions of clueless Windows users.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Yes, you are wrong to think this.
First, the study shows linux subject to the most manual attacks. That doesn't jive with your logic.
Also, see the oft repeated marketshare of webservers. Apache is by far the most used, but subject to far less attacks than IIS.
I know you're just joking, but for others who actually believe this, it bears repeating:
If that were true, then apache would have the most exploits of any web server, since it has the greatest market share. However, that is not the case: Microsoft IIS is by far the most exploited web server, with only around 20% marketshare.
Additionally, lesser marketshare does not automatically imply anything with regard to security. Sure, it's *targeted* less, and people might spend less time attacking it, but that does not mean it is less secure. In fact, there are numerous technical, design, and architectural reasons that, e.g., Mac OS X is more secure than Windows. A few examples would be: no ports or services open by default, services that are used are likely to be open source services like apache and OpenSSH which receive in intense scrutiny so that theoretical holes are closed before they become practical ones, there are more layers of abstraction between an email attachment and it actually becoming a meaningful exploit, prompting and notification for administrative-level or elevated privileges, less likelihood of standardization on a single email client reducing the exposure of a single point of attack, etc.
And sure, marketshare helps too, in terms of things like the statistical likelihood of the next host encountered/scanned by a piece of Mac OS X malware also being Mac OS X. But that's no where near the whole story.
I've been tinkering off and on with Linux for a while now and I'm by no means an expert. About a year or so ago, I got the Knoppix liveCD and did a hard install with it, making it essentially a mixture of Debian stable/testing/SID. Anyway, one day I fire up Quake and, instead of the normal music, it's playing this "We are the Animals" crap. The startup script even says, "This version of Quake has been hacked". I try to install Bastille but can't quite get it to work on this mixed-Debian install. I also can't un-install it.
So, now I'm using SuSE - mainly because it has built in security functions and is easier to configure. I kinda wish I could just go with something like Slackware and set all of it up myself, but I have limited tinkering time these days.
I suspect that a growing population on non-expert Linux users could be a potential security vulnerability.
A goal is a dream with a deadline
I think mac users are a very bimodal group. There are lots of pros, comfortable with various OS's. However, there are tons of totally clueless folks.
I cleaned up a lot of macs in the pre-OSX days when a handful of annoyances like macro-viruses were common.
Linux is often quoted as having a larger marketshare than Mac OS.
Regardless, you can certainly look at the users for the source of these numbers. I think it's harder for a Windows XP desktop user to "get hacked" than a Linux user. Why? Because Linux operating systems, with all their power and flexibility, can be compromised because it's easy to make a mistake. I'm sure you know users that run as root and do all kinds of ridiculous things. Does that mean Linux is insecure? No.
Likewise, I'd point at Windows desktop users and ask - "do you know if you've ever been hacked?" Everyone wants to say no, but most people have no idea how to tell. Or what counts as a hack. So how will you measure the number of attacks? If you ask a Linux user, I think you're immediately more likely to get an educated response because the users are generally more attuned to their computers and how they work.
It's hard to take a report like this very seriously because it has to overcome some fundamental issues.
Mi2G are about as expert in computer security as your local nursery school, they are basically a fraud outfit that decieve companies by using FUD in order to transfer cash from company accounts to the chairmans pocket, and slashdot linked them up
and you wonder why no one subscribes and blocks slashdots adverts
in the security scene they are worthless
Register article
As a Mac user and Linux guy, I have to say that this kind of study is a little tilted... how many Mac users and Windows users really know how to record a breach into their machine? Neither ships with process accounting on out of the box, to my knowledge.
I recently had some puke engage in comment spamming my website. Traceback revealed he was using a Windows XP machine infected with the Subseven trojan. I'd be willing to bet that breach was not recorded.
I think it has to do with the fact that there is much malware written for OS X, and that the OS Security model is better to begin. There is no root account and there are no ports open by default.
In a recent addendum to the mi2g's analysis, Executive Chairman DK Matai says,
Any thinking computer professional will see that Microsoft's Longhorn Operating System has had 0 malicious security breaches over the past year. It is obscene to think that anyone with half a mind would not switch to such a secure platform. Our masterfully elaborate computer models lead us to undoubtably confirm that Microsoft's Longhorn Operating System will be the most secure Operating System until it is released, sometime in the later part of the great year 2015. At that time we believe it will experience a downward trend and will be replaced by BSD as the most securest of all Operatinginus Systamicuses around. This indisputable change will be due in large part to the unquestionable and horrifying death of the BSD platform. Indubitably.
It's been widely repeated by many of my compatriots that Macs are simply more secure because they have a tiny user base. However, hacker culture is based on egos, correct? Imagine the fame one could gain by creating a virus that infects Macs too - they'ed be able to smash the "Macs don't get virii(?)" claim and they would get attention - for some people, good or bad doesn't matter.
I'm sure a Mac virus for OS X has at the very least been attempted. Why hasn't it succeeded at spreading all around?
OS X really is more secure
If you read about how Opener is built, it's pretty obvious that it's neither a virus nor a trojan per say, but just a malicious script. No reason to get your britches all in a knot: any decent *nix user should be able to whip up some of these easily.
I saw this earlier from a link at osnews (yeah, I know). I was a little surprised it hadn't been mentioned here until I read the article. The site comes across as just another of those l337 haxor orgs trying to "go legit." Lots more disclaimers like that one blaming "people with agendas" writing bad press and even blaming the search engines for linking to it and helping spread the evil word. A "news" page linking to all their press releases where they quote themselves a lot.. oh boy, that's impressive.
Anyway, just in the last fews days I can think of at least one exploit requiring users of real player (on ANY platform) to "update their software" lest they be rooted by a malicious video stream. Previous hacks mentioned in the article were related to both Real and Quicktime being vulnerable to malicious skins.
Since I don't use either of these pieces of crapware I guess I'm 100% safer than everyone else and I don't have to worry about being rooted - because, after all, it's just bad software that makes you vulnerable, not being a warez whore and installing every piece of shit toy on your system that catches your eye.
I can't find the source of the reported breaches. How did they determine which breaches to investigate? Were they only breaches reported to them? I can state for a fact that many companies do not report breach attempts to anyone. So this investigation probably isn't of a very accurate sample pool.
Developers: We can use your help.
Bah. Your manual Linux breeches are no match for my automated OS X pantaloons.
One important factor with Mac OS X security is its default security settings; when someone buys a new Mac, takes it home and starts it up, their firewall is enabled, all of their sharing/webserving services are turned off, and their root account is disabled.
I am glad you pointed out that this is about manual exploits, NOT about which OS has the best security. If we were talking strictly about vulnerbility the story would be quite different. Quite simply, Mac OS would lose (IMHO): http://www.computerweekly.com/articles/article.asp ?liArticleID=131513&liArticleTypeID=1&liCategoryID =2&liChannelID=22&liFlavourID=1&sSearch=&nPage =1
Not that this matters. But it's also good to know its safe. But how many people actually direct connect to the internet? Doesn't it make sense to have some sort of cheap firewall/router box to protect you?
It's either on the beat or off the beat, it's that easy.
I moderate therefore I rule!
--
As before, the study ignores the thousands of automatically-spreading viruses for Windows.
And in other news, a new auto-safety study by the National Traffic Safety Commission has shown that SUVs are no more dangerous to drive than other types of cars. This conclusion was reached by ignoring roll-over accidents, which are due to the SUV's design, and are thus not caused by the driver.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I did not think of using a Mac until my last year in college when my FreeBSD box crapped out numerous time during my final software engineering project. I spent all my graduation money on a Mac and I still think that it was a good move because I get the power of Unix and Open Source with a nice interface and a system that does not crash and accepts almost anything I choose to stick in the USB port.
My primary reasons for using a Mac are:
I still can use all my office applications without problems. Office for Mac is not bad at all!
As a Unix dude who runs several boxes at home, I find it almost impossible to use windows because I am am glued to Terminal from time to time. I tried Cygwin and I do use it at work; however, I do not like it as much due to the lack of complete intergration into my box.
Mac has been secure for me. Although I consider myself to be a power user, I do have a girlfriend who likes to download all sorts of crap and click on everything that flashes. I haven't had problems with viruses so far.
Mac OS 10.3 has never crashed on me. I do not remember a single time when something went wrong to the point where I had to do cold boot.
Darwinports rule. Open Source programs just the way I like them :)
Mac is based on Unix and that is a key because I like maintaining all my systems in the same way. For example, I can run the same backup scripts with almost the same variables across all my boxes.
Plug-n-Play, as opposed to Plug-n-Pray on Windows. So far, I had no problems with digital cameras, USB keys, scanners, printers, etc. Plug it in and it works.
Human-Computer Interaction and Mac GUI. I cannot stress this enough: details are important! Natural things, like dragging an image from Safari browser or to iChat's icon, make our lives easier. Smooth fonts appeal greater. Software applications, just like people, will be taken more seriously if they are well polished. Thankfully, Apple spent an enormous amount of time and money on HCI research and then turned the results into something productive. I like OS X because it feels more natural than any Windows edition I've used so far.
This is a small one, but CD burning works with OS X without any problems right out of the box. No additional software installations needed. This list was enough to convince me :)
But since they don't tell you how many of each system type is 24/7 connected, it is very hard to draw meaningful conclusions from this report.
.001% of 24/7 connected systems, then I'm not impressed with their numbers. If they comprised 60%, then I'm really impressed.
If OS X/BSD systems comprised only
And...were the attacks against unique machines? Or once machine A was found to be vulnerable, were there 200 different breaches against that machine? One badly configured system could really blow it for the rest.
Finally...which of the "attacks" were against the OS and which were against the applications? MySQl and Apache run on all their listed OSes. If it was a misconfiguration of those, which OS is really not relavant.
They might have the data, but they do not expose enough of it for me to have any confidence in their conclusions.
Pure marketing hype.
Learning HOW to think is more important than learning WHAT to think.
According to Netcraft, Apache outnumbers IIS 3:1, and I'm making the (valid) assumption that most Apache web servers run on Linux. Let's also make the other assumption that most 24/7 machines are web servers (that most servers accessible on the net are web servers).
So, Netcraft has 37,620,349 Apache servers on-file, compared to 11,679,222 IIS servers. Mi2G has reported 235,907 successful breaches. First of all, to give you an idea of the sample size, that's 0.5% of all servers recorded by Netcraft! But let's give them that, since this is a sample of breaches occuring in a relatively short time period.
Now here comes the real news. 59,419 of computers recorded as breached are Windows, whereas 154,846 of computers recorded as breached are Linux (mi2g's numbers). Let's take those as percentages of all Linux [*nix] servers, and of all Windows servers. Looks like 0.4% of Linux servers have been breached, whereas 0.5% of Windows servers have been breached. So Windows is a little less secure, by my metric.
Now, this is a little unfair, because my assumption above (that Apache servers run Linux) is wrong. Many Apache servers that Netcraft picks up run BSD and could even run Mac OS X Server, I guess. Even taking this into account, the breach rate would be about the same for the two OSes (probably a little bit better for Linux).
What this doesn't take into account in terms of the Windows/UNIX debate are the hidden costs of an IIS server in terms of administration, virii, stability, reboot requirements, etc. the list goes on and on. It also doesn't take into account SOME hidden costs of Linux/BSD servers, but those are minor compared to the Windows annoyances (trust me, I know: I administer a Windows server, unfortunately).
That said, I do think BSD probably is more secure, and I use Netcraft's "longest uptime" as one of my metrics. To me, it seems the longer a site is on the Internet, the more statistical chance it has to get attacked. That ALL of the top uptime sites on Netcraft's list run BSD shows me that BSD is a pretty rock-solid OS for servers, that you can leave them out there in the wild for years without worry.
The real bottom line is that software that runs on UNIX-like OSes tends to be more secure, and this usually has not too much to do with the OS. For your box to have real security, the system administrator has to be smart (or the distro has to come with Smart Defaults, like I believe Debian does in the Linux world). The only real way to prevent security breaches is to be a smart administrator: to think ahead and secure your boxen before it's too late.
All this study shows me is that no OS is a "magic bullet," that breaches occur on unprotected machines regardless of your OS. No one blames car manufacturers/designers for stolen in-dash CD players if you stupidly forget to lock your doors.
My own anecdotal experience would be roughly the same (sans OS X experience). I have known someone whose Linux box was rooted, but it, too, was a manual attack. Windows goes without saying. OpenBSD goes without saying, too (oppositely, of course).
Linux is a very good general purpose OS, but it's development is volatile enough that it requires a conservative approach with respect to security. I would use an older more mature kernel along with manually paring down the rc directories and inetd.conf, among other things. OpenBSD, on the other hand, is stripped out of the box, and the user must add services. I generally feel that Solaris ranks more with Linux, in that a manual hardening effort really is necessary. Never would I put Windows on the Internet--it would be like swimming in the ocean with steaks tied to my legs.
-- "Makes Little Debbie look like a pile of puke!" - Moe Szyslak
enough I say! There needs to be the grand ultimate no holds barred OS hacker challenge! Each OS fanclub gets to put one as equal as possible machine on the net, with a provided IP. 24 hours opened to attack, no DDoS, actual penetration attacks. Set up a directory inside with a file called "hackmeplz", the hackers have to add their tag to that file to prove they were there. Hackers or hacker groups have to pre register, with a hashed sig for verification of who they be,and they are the only ones allowed to try.
And here's the twist, the fanclubs are also the hackers, they not only have to try and own the other teams boxes, they have to defend their box!
Once and for all, let's see who's got the OS and the skillz!