Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Mi2g responds to criticism over its security study

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Mi2g responds to criticism over its security study
Date: Tue, 23 Nov 2004 05:23:38 -0600 (CST) 
http://www.linuxworld.com.au/index.php/id%3B1616857056%3Bfp%3B2%3Bfpid%3B1

Phil Hochmuth
Network World
23/11/2004 

U.K. research firm mi2g generated a lot of heat for itself when it
released a report last month on the most-hacked operating systems on
the Internet. In its "deep study," the firm said it had analyzed
almost 240,000 computers attached to the Internet that had been hacked
over the last 12 months. It found Linux to be the operating system on
65% of the computers that were hacked, while Microsoft represented 25%
of the systems. BSD and Mac OS X were deemed the "safest" systems as
they represented about 5% of the systems hacked.

Since the study's release, many Linux industry observers and experts
have called into question mi2g's findings and methodology. What
observers call the fatal flaw in mi2g's logic is that fact that its
analysis of the 235,907 hacked systems it studied only reflects the
market share of the various operating systems running on the Internet
- not the technical strength of the systems studied.

Since Linux and Microsoft are among the majority of operating systems
running on the 'Net, this correlates with those systems being
represented as "most hacked" in mi2g's report, since it only studied
hacked systems. (That fact that Unix was left out of the report - when
Netcraft research shows that Solaris runs 32% of the Fortune 100 Web
sites - also brings into question how mi2g got its numbers, observers
say).

Research showing BSD and Mac OS X are the least-hacked operating
system does not tell you if the code in those products is stronger or
weaker than Windows, Linux or any other platform - it just shows how
little they are used on the 'Net.

Mi2g's response to this type of argument is this (from its Web site):

"When applying the benchmark of uptime on the full sample of
permanently connected 235,907 machines, the mi2g ... found that the
only computing environments left standing without the need for a
single reboot at the end of the 12 month period were either BSDs or
Apple Mac OS Xs ...

"On this basis, when it comes to the approach of relativistic safety
and security in computing environments, we consider the market share
safety and security debate to be looking through the wrong end of the
binoculars. Instead of a bigger market share being a positive and
smaller being negative, it has been shown that, bigger market share is
a contributor to much higher risk profiles and small may be
beautiful."

By this logic, users are better off picking the most obscure operating
systems on the Internet to ensure site safety and uptime. Will this
lead the security gurus in the Fortune 500 to flock to OpenVMS and
OS/2 for their Web infrastructure? Not likely. So, ultimately, does
the mi2g study reflect any inherent or alarming weaknesses in Linux as
a Web server platform? Not really.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Mi2g responds to criticism over its security study, InfoSec News <=
Previous by Date:  [ISN] More funding needed for security R&D, IT committee says, InfoSec News
Next by Date:  [ISN] U.S. security critic sues Japan for censorship, InfoSec News
Previous by Thread:  [ISN] More funding needed for security R&D, IT committee says, InfoSec News
Next by Thread:  [ISN] U.S. security critic sues Japan for censorship, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]