[ISN] Experts Challenge Mi2g Security Study

From: InfoSec News (isn@private)
Date: Mon Nov 08 2004 - 02:31:37 PST


http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=52200309

By Tom Dunlap 
Courtesy of Linux Pipeline 
November 5, 2004

Some Linux experts are questioning a report by British-based mi2g,
which calls Linux the "most breached" computing environment worldwide,
with Microsoft Windows placing a distant second.

The London-based security firm said its study analyzed more than
235,000 successful attacks against "permanently connected -- 24/7
online--computers" worldwide between November 2003 and October 2004.  
According to the study, computers running Linux accounted for about 65
percent of all recorded breaches, while Microsoft Windows-based
systems accounted for about 25 percent of such attacks. Successful
attacks against OS X and BSD-based online systems accounted for less
than five percent of the worldwide total.

Virus Threat Overlooked

But the report has some gaping holes it its methodology, according to
noted open source advocate Bruce Perens and others.

"It's pretty ludicrous that they didn't count viruses," Perens said.  
"Even their own study says that the financial impact of viruses on
Windows is tremendously greater than the penetration on Linux."

Explaining his point further, Perens said, "The number of Windows
systems penetrated by automatic viruses--rather than manual
penetration that this report studies--is tremendously greater. Linux
is still more secure, it's just the fact that this report doesn't
count automatic viruses."

"The report really did everyone a disservice by not pointing out that
viruses are the main problem," Perens said. "When someone studies a
restricted subset of the problem and by looking at that restricted
subset makes the conclusion come out the opposite of what it would
otherwise be, we have to question the motivation behind the study."

Perens also noted that with the rise of Linux, the growing number of
negative reports and comments about the open-source operating system
shouldn't come as a surprise. "When you're on top, you're going to get
hit more," Perens said.

The Price Of Success

Linux-based servers are commonly used to host a firm's Internet
presence, with the open source Apache Web server commanding more than
64 percent of the market. Apache usually runs on Linux servers,
although it can also run on other OSes.

The mi2g study adds to a growing list of challenges to the burgeoning
open-source operating system. In August, an Open Source Risk
Management report stated that Linux potentially infringes 283 software
patents, although none have been validated yet by court judgments.  
Patent issues have caused significant concern among Linux users since
the SCO Group sued IBM in March 2003, accusing IBM of moving SCO's
proprietary Unix code into Linux.

Microsoft president and CEO Steve Ballmer has also taken the
offensive, attempting to debunk every major Linux benefit with the
company's "Get the Facts" campaign and a recent letter to customers.

"Suspicious" Conclusions?

Rob Enderle, principal analyst with the Enderle Group, also saw many
problems with the mi2g study. The firm's methodologies have been
questioned before on other studies, Enderle said: "They tend to do a
lot of things that seem to be targeted at being media events and are
not considered to be particularly credible as a result . . . they are
trying to make headlines, and my guess is they were successful."

Asked what he questioned about the study, Enderle said, "BSD and Apple
are the least common for general use systems, so you would expect they
would be targeted less. Why try to penetrate a system that doesn't get
you where you want to go?

"In addition, BSD in particular is generally used by groups that have
a very high percentage of highly competent professionals, so it tends
to be deployed in ways that are inherently more secure," Enderle
stated. "What concerns me the most about this though is the omission
of Unix, which is prevalent and should have numbers that fall between
the two distinct groups.

"The . . . conclusion may simply be that widely deployed systems used
by large numbers of poorly trained people are inherently insecure,"  
Enderle continued. "[Mi2g's] conclusion that these results are based
on the platforms alone is questionable, because they have not
normalized the populations based on skills and usage."

Bruce Schneier, CTO of Counterpane Internet Security, had not yet
studied the report, but said the conclusions "certainly sound
suspicious."

Mi2g appeared to anticipate criticism of its study. "We would urge
caution when reading negative commentary against mi2g, which may have
been clandestinely funded, aided or abetted by a vendor or a special
interest group," it said in a press release publicizing the study.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Mon Nov 08 2004 - 04:06:56 PST