London, UK - 5 November 2004, 11:30 GMT - The mi2g Intelligence Unit in-depth study The world's safest computing environment has sparked off an extensive global debate about the safety and security of software by market share and its impact on the absolute rankings of the mainstream computing environments based on: Microsoft Windows, Linux flavours and BSD plus Mac OS X. mi2g has also received thousands of emails in regard to "market share" perspectives via www.mi2g.net for which we are thankful to all those who took the time to write to us. The correspondents have focussed on the impact of market share on the absolute safety assessment of a given computing environment. The essential argument boils down to the following classical safety approach:

If the market share of Microsoft Windows, Linux and BSD + OS X based computing environments is:
x%, which is much greater than y%, which is greater than z%, respectively,
then the absolute safety rankings can be easily derived from the breach percentages just released by mi2g:
at 25.19%, 65.64% and 4.82% respectively,
for Windows, Linux and BSD + OS X.

With this classical safety approach of breach percentage divided by market share percentage, as a measure of absolute safety and security, Microsoft Windows may come first (lowest absolute safety), Linux may come second, BSD plus Mac OS X may come third (highest absolute safety). [In absolute safety: low is good and high is bad.]

The mi2g Intelligence Unit does not agree with the classical approach because it is against the grain of common sense as observed by millions of computer users in the real world every day. Bigger the market share, bigger the risk profile of a given computing environment. More malicious malware writers target that platform and more hackers with honed skills and automated tools carry out their malicious activities. If the logic is robust and absolutely correct, then why do any users complain about not being able to find highly skilled Windows and Linux helpers or administrators as their computers come under hacker or malware attack; shift away from Windows to Apple Macs - in well chronicled cases to enhance productivity and minimise Downtime - for their desk tops; or from Linux and Windows to BSD platforms for their servers?

The simple reason for the mi2g Intelligence Unit disagreeing with the classical approach is that it is completely vendor centric and not user centric. The vendors may prefer the world market for computers to be looked at purely in terms of quantity of units sold and over simplify "absolute safety" down to market share sectors on a pie chart, where Microsoft Windows would dominate, followed by Linux and then BSD plus Mac OS X. The vendors assess their turnover and profits via the yard stick of units or licenses sold, so it makes sense from their perspective to think of the computing eco-system by the classical measure of quantity. But does the classical measure make sense from the users' perspective? No, it does not, and neither does it make any economic sense. For this reason, we recommend a relativistic approach which is time based and takes into account the adverse impact of high market share, system reliability, availability, maintainability and scalability within a 24/7 online computing environment as part of a network on which mission critical work may take place over an extended time period, say, a minimum of 12 months, the duration of our study.

Any business, government department or individual will attest that what matters to them over one year in terms of their computing resource is Uptime. In a given year, how many times do they have to stop working to deal with hard reboots, soft resets, dysfunctional processes, patching and system upgrades, loss of valuable work, serious computer administration etc, or in other words, Downtime, also known as, Productivity Loss. This issue of near 100% Uptime over one year is mission critical to 24/7 online computers in many instances and most market share dominators by the classical measure, when subjected to the litmus test of out of the box safety and security, do not appear to score very well at all, be they Windows or most flavours of Linux.

When applying the benchmark of Uptime on the full sample of permanently connected 235,907 machines, the mi2g Intelligence Unit found that the only computing environments left standing without the need for a single reboot at the end of the 12 month period were either BSDs or Apple Mac OS Xs. This finding is echoed by Netcraft's independent research page - Sites with longest running systems by average Uptime in the last 7 days - http://uptime.netcraft.com/up/today/top.avg.html

On this basis, when it comes to the approach of relativistic safety and security in computing environments, we consider the market share safety and security debate to be looking through the wrong end of the binoculars. Instead of a bigger market share being a positive and smaller being negative, it has been shown that, bigger market share is a contributor to much higher risk profiles and small may be beautiful.

Within financial services, government agencies and defence businesses - the sectors we know and understand - the most important issue is about continuous Uptime for the supply chain and customer chain. A computing environment may have a high quantitative market share like 30% or 60% but because the machines running it keep falling down as a result of hacker and malware attacks or need reboots for other reasons more regularly in a given year, the continuous Uptime share may be very very low. So within this qualitative perspective of continuous Uptime share, most of the machines not requiring any switch-off / switch-on regimes over 12 months have been either BSD or Mac OS X based and neither Windows nor Linux. This could boil down to imperfect administration according to vendors, and this is the other safety and security argument we have received from entrenched supporters of Windows and Linux.

If the 24/7 online computer users had a good administrator and the computers were configured as per the text book settings with alpha, beta, gamma etc ports off and A, B, C etc services and processes killed there would have been no successful breaches or downtime. How does this argument square with what comes out of the box by way of default settings, without appropriate patches and service packs? Most organisations may not be able to employ a superior and therefore expensive administrator, who may also not be available in their local community which is now on the internet all the time through broadband connections and it therefore has a moderately high global digital risk profile with new threats arising every hour of every day?

The one year reliability of a quality modern appliance, telephone dial tone, electricity, gas or water utility supply is much greater than most computers connected to a 24/7 online environment over the same period. As our study has shown, the pain is greater for home users and small enterprises without adequate resources and less for medium size enterprises and minimal for large enterprises with huge resources available on demand. [See previous news alert for statistics.]

Does one need an electric kettle administrator to be able to ensure that the water on the boil will not bust the kettle because the electricity voltage tends to fluctuate a little? In the near future, computing users will demand that the classical vendor centric safety and security approach is out-moded and has to be replaced by user-centric concerns which are relativistic and play over longer time frames. The relativistic safety approach is not absolute over a frozen time window snap shot, in which every computer test has been designed to produce a smile for the camera to deliver a perfect yet "contrary to common sense" picture postcard that aims to move more product and does not begin to address user concerns.

"In simple terms, all we are saying is that the probability of getting manually hacked for real, over one year, in the world in which imperfect computers and malicious humans exist is greater for Linux than Windows and lowest for Mac OS X and BSD. On the other hand, if the threat is from malware then it is a big concern primarily for Windows users and not other computing environments at this stage. The study included well configured working machines, badly configured working machines and everything else in between. The sample consisted of 24/7 online machines installed in real life within homes, small, medium and large organisations over a 12 month period, forget artificially created vendor sponsored laboratory set ups," said DK Matai, Executive Chairman, mi2g.

"The vendors boil down safety to perception, huge marketing effort and benchmark comparisons that deliver perfect security if it is a sunny day on the internet, every day, all through the year. All safety is relative outside a perfect environment such as a laboratory. There is no such thing as 100% safety or security because there is normally no risk profile at 0% where productivity is involved over time, which in turn requires being connected and communicating with others. Maximising 'opportunity to sell' product is the vendor rationale for a move to greater safety and security that delivers growth in market share whilst ignoring the consequences of a rising magnitude of threats as well. This in essence is the classical approach to computing safety."

"On the other hand, the users want to save time over their working lives, minimise risk and multiply productivity by having as low a downtime of their computing resources as possible. They are happy with an Apple Mac or BSD platform if it means that they can do their work and worry less about mass malware attacks or hacker breaches. Small market share does not concern the users if the product will deliver standard, compatible applications and services reliably. For the users, the total cost of ownership argument is about zero headaches. Linux, for example, may have a low entry fee but what about the headaches afterwards that have come from unbudgeted costs associated with the higher number of hacker attacks, substantial learning curve, user training and administration."

"This is the relativistic approach and it is based on thinking long term for customer satisfaction and not in terms of quarterly profits that first deliver short term gain by pushing product out and then long term pain for both the vendors and the users. The computing community will eventually demand vendors to deliver product with near 100% uptime, without the requirement for very skilled intervention."

"For the moment, however imperfect, the safest option based on our recent study over 12 months, is either Apple Mac OS X or BSD. This choice could reduce the chances of being attacked and provide high continuous uptime without huge additional cost burdens over time."

[ENDS]

Related Articles:

17th November 2004 - Full compendium of mi2g speeches released on web
12th November 2004 - Exclusive interview of DK Matai with Linux/Security Pipeline
12th November 2004 - Deep study: The ongoing Linux Attacks fallout
6th November 2004 - Experts challenge mi2g security study: mi2g response
2nd November 2004 - Deep study: The world's safest computing environment
24th March 2004 - Five solutions to the rising identity theft and malware problem
2nd March 2004 - Disturbing the sanctity of the Linux Church
19th February 2004 - The World's safest Operating System

---

Coverage:

Information Security News: mi2g defends its Linux claims - Insecure.org
mi2g defends its Linux claims - Virus.org
mi2g defends its Linux claims - The Inquirer
Interviews: DK Matai with Linux/Security Pipeline - Linuxtimes.net
Exclusive interview of DK Matai with Linux/Security Pipeline - LinuxSecurity.com
Exclusive interview of DK Matai with Linux/Security Pipeline - eBCVG IT Security
Apple's Mac OS X is much more secure than Linux or Windows - MacDailyNews
Furore over OS security survey - ITWeb
Sloppy Sysadmins Leave Linux Security Lacking - InternetWeek.com
Sloppy Sysadmins Leave Linux Security Lacking - CRN
Sloppy Admins Leave Linux Vulnerable To Security Breaches - Information Week
Linux is 'most breached' OS on the Net, security research firm says - ARNnet
Linux is 'most breached' OS on the Net, security research firm says - LinuxWorld
Linux is 'most breached' OS on the Net, security research firm says - ComputerWorld
Security company defends Linux-is-vulnerable survey - HNS
The world’s safest computing environment - TechCentral
mi2g response: Experts challenge mi2g security study - eBCVG IT Security
PC Pro: Security Company Defends Linux-is-Vulnerable Survey - linux today
Study: Linux Is Least Secure OS - WindowsITPro
Linux Most Breached OS, Says New Report - CXO Today
Survey: Mac OS X most secure, Linux least - ITWeb
Mac OS X, BSD Unix top security survey - Neowin.net
Mac OS X, BSD Unix top security survey - Computer World
Study: OS X World's Safest OS From Security Attacks - MacNewsWorld
Study Recommends Mac OS X as Safest OS - Slashdot
Mac OS X, BSD Unix top security survey - MacCentral
Security: Mac OS X Good, Linux Bad - eBCVG IT Security
Study: Apple's Mac OS X 'world's safest and most secure' operating system - MacDailyNews
Study: OS X World's Safest OS From Security Attacks - the Mac Observer
The world's safest computing environment - eBCVG IT Security
Mac OS X - 'world's safest' - Macworld Daily News
The world's safest computing environment - TechCentral

---

mi2g is at the leading edge of building secure on-line banking, broking and trading architectures. The principal applications of our technology are:

1. D2-Banking;
2. Digital Risk Management; and
3. Bespoke Security Architecture.

mi2g pioneers enterprise-wide security practices and technology to save time and cut cost. We enhance comparative advantage within financial services and government agencies. Our real time intelligence is deployed worldwide for contingency capability, executive decision making and strategic threat assessment.

mi2g Research Methodology: The Frequently Asked Questions (FAQ) List is available from here in pdf. Please note terms and conditions of use listed on www.mi2g.net

Full details of the October 2004 report are available as of 1st November 2004 and can be ordered from here. (To view contents sample please click here).