[ISN] Mi2g responds to criticism over its security study

From: InfoSec News (isn@private)
Date: Tue Nov 23 2004 - 03:23:38 PST


http://www.linuxworld.com.au/index.php/id%3B1616857056%3Bfp%3B2%3Bfpid%3B1

Phil Hochmuth
Network World
23/11/2004 

U.K. research firm mi2g generated a lot of heat for itself when it
released a report last month on the most-hacked operating systems on
the Internet. In its "deep study," the firm said it had analyzed
almost 240,000 computers attached to the Internet that had been hacked
over the last 12 months. It found Linux to be the operating system on
65% of the computers that were hacked, while Microsoft represented 25%
of the systems. BSD and Mac OS X were deemed the "safest" systems as
they represented about 5% of the systems hacked.

Since the study's release, many Linux industry observers and experts
have called into question mi2g's findings and methodology. What
observers call the fatal flaw in mi2g's logic is that fact that its
analysis of the 235,907 hacked systems it studied only reflects the
market share of the various operating systems running on the Internet
- not the technical strength of the systems studied.

Since Linux and Microsoft are among the majority of operating systems
running on the 'Net, this correlates with those systems being
represented as "most hacked" in mi2g's report, since it only studied
hacked systems. (That fact that Unix was left out of the report - when
Netcraft research shows that Solaris runs 32% of the Fortune 100 Web
sites - also brings into question how mi2g got its numbers, observers
say).

Research showing BSD and Mac OS X are the least-hacked operating
system does not tell you if the code in those products is stronger or
weaker than Windows, Linux or any other platform - it just shows how
little they are used on the 'Net.

Mi2g's response to this type of argument is this (from its Web site):

"When applying the benchmark of uptime on the full sample of
permanently connected 235,907 machines, the mi2g ... found that the
only computing environments left standing without the need for a
single reboot at the end of the 12 month period were either BSDs or
Apple Mac OS Xs ...

"On this basis, when it comes to the approach of relativistic safety
and security in computing environments, we consider the market share
safety and security debate to be looking through the wrong end of the
binoculars. Instead of a bigger market share being a positive and
smaller being negative, it has been shown that, bigger market share is
a contributor to much higher risk profiles and small may be
beautiful."

By this logic, users are better off picking the most obscure operating
systems on the Internet to ensure site safety and uptime. Will this
lead the security gurus in the Fortune 500 to flock to OpenVMS and
OS/2 for their Web infrastructure? Not likely. So, ultimately, does
the mi2g study reflect any inherent or alarming weaknesses in Linux as
a Web server platform? Not really.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Tue Nov 23 2004 - 03:53:25 PST