UPDATED: Security company defends Linux-is-vulnerable survey

Posted on 8 Nov 2004 at 18:03

A UK security company has published an open letter following a furore in the Linux camp after a study claimed that nearly two thirds of successful Internet-based attacks occurred on the open source operating system.

The mi2g Intelligence Unit study found that nearly 60 per cent of all successful breaches were against Linux computers. However, an article on the Linux pipeline website cast doubt on the findings, and open source leaders such as Bruce Perens, among others, lambasted the report as 'ludicrous'.

'Linux is still more secure, it's just the fact that this report doesn't count automatic viruses,' the article reports him as saying.

This has prompted mi2g to publish the open letter, claiming the article has discredited the company and included 'factually incorrect statements'.

The company told us that the study did indeed include viruses, as well as worm, trojan and other forms of digital attacks in its report.

That only means the figures are going to raise eyebrows still higher. The report put Windows breaches slightly higher than 25 per cent, yet the vast majority of viruses are written to exploit Windows. The nature of worms that self-propagate and can infect many hundreds of thousands of machines within hours, mean that one would expect to see Windows as the most attacked, simply by virtue of its ubiquity in installations and attraction as a target.

However, mi2g argues that the massive market share of Windows would mean it appeared as most secure.

Another objection was that there were no figures for the Unix platform, while Linux, Windows, BSD and Mac OS X were included.

mi2g told us that this was because: 'The systems studied were only those that had had over 10,000 breaches in the twelve months preceding the study.

'The number of attacks being above 10,000 was a rough measure of getting round the "security by obscurity argument", which we knew would rear its head if we chose OpenVMS for example.'

mi2g concluded: 'We have viewed BSD + OS X as the most reliable, available, scalable and maintainable platform as well as safest flavour of UNIX, based on highest 24/7 uptimes observed, which have been the other deciding factor in excluding or including particular UNIX platforms from the final study.'

However, one might instead suggest that it is Unix systems that are the world's safest systems as they didn't even make it onto the study, so secure were they. In comparison, the Mac OS X or BSD platforms look like a sieve with their nigh on 5 per cent 'breach' share.

mi2g responded: 'As far as UNIX is concerned, HP-Unix, AIX, Solaris, BSD, Mac OS X, Linux are all *NIX so your chosen perspective about the safety of UNIX being above all cannot be agreed with.'

The real problem appears to lie in the handling of statistics. It's all very well to take 65 infected Linux machines and five infected Mac OS X machines, but you can't on that basis alone claim that one is more secure than another. Not without identifying a 'normal' platform share of internet-connected systems to place the figures in context, or by showing breaches as a percentage per 100 installations by platform.

mi2g tells us that the platform share of the sample analysed and the 'breached' platform share are 'Identical... because only the partial or completely breached platforms were sampled.'

So this still leaves no room for a platform - theoretical for now - that has a reasonable market share, 100 per cent uptime, yet fewer that 10,000 successful breaches. It just won't feature in mi2g's list.