http://www1.commsworld.com.au/NASApp/cs/ContentServer?pagename=commsworld/home&var_el=art&art_id=1067861810188&var_sect=COMMENT&from=home Richard Chirgwin 01 March 2004 Since I've never encountered Mi2g in any capacity, it's not easy to assess the company's standing as a security consultant. Of course, every security company in the world is a market leader of some kind - the security market seems like a 1,000-way dead heat for first - but Mi2g is at least punching above its weight in terms of media strategy. It's got a press release or a statement or a piece of proprietary research to cover just about any eventuality. Still, given the long campaign by Linux advocates to promote open source software as intrinsically more secure than proprietary software, and the long campaign by Microsoft to recover its security credibility, a story which says "Linux is insecure" is a dead-cert to get at least a few headlines. Unfortunately, if I tried to do anything more than rehash the same sketchy details as have already found their way around the IT press, I would be up against it. The Facts The facts that Mi2g has gone to press with are sketchy, to say the least. It says that more than 17,000 servers on the Internet were attacked during January; that the most-attacked server operating system was Linux; and the Mac and BSD are the most secure server operating systems based on the number of successful breaches. For those who like numbers, Mi2g is saying that January saw just over 17,000 successful attacks; and that more than 13,600 of those involved Linux servers versus just over 2,000 for Windows servers. Well, that's pretty conclusive, isn't it? No. Methodology It's very hard to discuss the raw data, or to analyse the methodology, because I can't read the source report. Why not? Because Mi2g requests payment for press releases. In the case of the January report, it's asking nearly $100. A sufficiently cynical character - me, for example - might be led to wonder. Perhaps the media which rate "most favoured status" get to see a sliver of real data - maybe the executive summary of the report, for example, or maybe they get the media release for nothing. But Mi2g is not exposing itself to the wholesale scrutiny of the press. And I would be surprised if any of the favoured media read the incredibly onerous license terms Mi2g applies to everything it commits to a document. If you've received an Mi2g media release, it is (as far as I can tell from the legalese on the Website) released under conditions such as the data remaining the property of Mi2g rather than the media. The very first clause of the license agreement - from which media releases are not excluded - says that Mi2g retains "control over the form and content of the Services" (with services already defined as everything the company says and/or does). CommsWorld isn't in Mi2g's "in" crowd, so I can only comment on the data that's appeared in the public domain. If, for example, one of the Mac publications, or ZDNet, or anyone else has made an error, it could render my analysis of the Mi2g data inaccurate. What's Missing All of the reports of Mi2g's study - because we can't discuss the methodology directly - say that Linux was the operating system most frequently breached in January, but none of them explain Mi2g's definition of what constitutes a "breach". If, for example, there is a fundamental vulnerability in Linux which allows attackers to discover a "backdoor" into a server, bypassing normal security measures such as access control - then this would be a serious matter which would put any deployment of Linux in serious doubt. But a breach can just as easily (whether the server is Windows, Linux, or Commodore 64 for that matter) come with no technical prowess required - if the system administrator is careless or rushed, and has left a system's default passwords enabled. An attack of this kind reflects not on the underlying operating system, but on a lack of administrative and deployment processes among the user base. Alternatively, the attack might compromise, or be enabled by, an application running on top of that operating system. Successfully breaching an Apache Web server - or some other Web server for that matter - does not reflect on the security intrinsic to the underlying operating system. A third problem is common to both Windows and Linux: how does the researcher draw the line between a compromised server, and the many Web presences that server may host? If an attacker walks in through a default password, in a Web farm hosting 100 Web sites, does that count as 100 incidents against the operating system, or as one? Unless the methodology is open to scrutiny, it's impossible to tell. Finally, there's the matter of correctly identifying the operating system hosting a particular service. Anyone with curiousity can see, by using Netcraft to wander around different sites, that there are often lucenae in OS identification. This is particularly true when a firewall and a Web server are running different operating systems; many's the time that I have been told a Web server was running Microsoft Internet Explorer on the open source operating system which was actually hosting the firewall. Sanity Check What's missing from the reporting is the simple sanity check that a look at the raw data would afford. However, there are certain assumptions which seem, from the outside to be reasonable. Chief among these: that much of the data-gathering is completely automated, the business of automatic software bots querying Web sites in much the same way as Netcraft does. The reason I make this assumption is simple: even if a company had the resources to conduct 17,000 detailed telephone calls per month - a task which would take hundreds of staff and hundreds of thousands of dollars - it's not going to find the phone numbers of 17,000 Web sites that easily. However, once again in the business of assessing the information - deciding whether it's valuable enough to print as "news" - there's no way to know. The information is obscure, its source is obscure, and to seek the data at its source would tie my hands and constrain the reports. Which leaves me with a conclusion that my peers should have made: the slender amount of data Mi2g releases is entirely inadequate for serious news. It's a promotion piece only, supplemented by little leaks to friends. Is Linux more insecure than Windows? I don't know - and nor do any of the IT press, anywhere in the world. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Mar 19 2004 - 06:23:33 PST