Deep study: Full transcript of
Exclusive interview of DK Matai with Linux/Security Pipeline
London, UK - 12 November 2004, 14:15 GMT
[This exclusive interview with Mitch Wagner and Tom Dunlap at Security Pipeline
in California succeeded the mi2g Intelligence Unit's response to Matthew
McKenzie and Scott Finnie on 6th November
to the Linux Pipeline article "Experts Challenge mi2g security
study" authored by Tom Dunlap and published on 5th
November. The resultant article was published on 12th
November by Security Pipeline.]
Q. Would it be accurate to say this: Despite the current wave of viruses and
other malware specific to Windows, mi2g's finding is that Windows is
more secure - when configured correctly - than Linux? And Apple and BSD more
secure than both of them?
A. In the real world environment, after having analysed more than 235,000
manual hacker attack breaches across homes, SMEs and large organisations,
mi2g concludes that:
The Linux users are not configuring their machines correctly and as a result
their platforms are breached more often than Windows and BSD. In specific,
they are not downloading appropriate patches; are confused by the myriad number
of distributions and associated directives; and appear to have a low number
of highly trained administrators who know what they are doing. Many upgrades
and critical patches are denied to certain Linux distribution users because
they are running a free copy and have not paid for the Linux maintenance now
being imposed by Linux vendors.
When configured correctly, Linux is more than capable of defending the large
majority of manual hacker attacks. mi2g's confidence in Linux is well
known and we run Linux on a number of mission critical platforms across our
organisation but pay a lot of attention to administration issues and patching,
which may not be obvious to the casual user.
Q. mi2g appears to believe that the virus and other malware attacks
specific to Windows do damage for two reasons: (1) Windows is the most popular
platform by far, making it a target of opportunity. And (2) Most users don't
configure Windows software correctly. Is that correct?
It is true that most malware writers are opportunistic and target Windows
because it accounts for a very large percentage of the global market share
thereby giving their creation a greater chance of achieving its intended malevolence.
Most user may not have the latest Microsoft Windows patches downloaded, although
even that risk profile is changing in favour of Microsoft as that software
vendor spends more time and effort in educating their customer base.
The number of instances of Microsoft Windows machines being configured incorrectly
is much less than the number of Linux machines we have found that have key
ports open etc.
Q. We're still not clear on the central virus question, which is: How can
mi2g, on the one hand, acknowledge all the damage caused by viruses,
worms and other malware and, on the other hand, declare Linux - which is not
susceptible to these attacks - to be more vulnerable than Windows?
A. As a specialist organisation with expertise in digital risk mi2g
have studied the various forms of those risks very carefully over the last
eight years. We have noted that digital risk manifests itself in six ways:
overt hacker attacks; covert hacker attacks; DDoS; malware - virus, worm,
trojan - proliferation; phishing scams and spam.
Spam, phishing scams and DDoS are completely target independent, ie, a system
could be running BSD, Linux or Windows and those types of risk would be manifest
regardless of underlying OS. This is the reason why we have not included those
digital risks in our Deep Study comparative.
Malware attacks are platform specific. They are of enormous significance
to Windows machines and pale into insignificance for Linux and BSD environments
at present when measured from an economic damage perspective. When we examine
malware attacks in detail, the maximum damage is caused by a very small number
of mass spreading viruses and worms that exploit a standard configuration
of Windows plus third party applications and rely on user innocence or naivety
to propagate in many instances. Where user ignorance comes into play and where
the threat is confined to one OS, it becomes difficult to justify making that
the basis for a safety and security study where multiple platforms are being
Overt and covert hacker attacks are, however, very specific and target all
computing environments. They are also sophisticated and have enough complexity
to be modified depending on the platform which they target. In theory, manual
hacker attacks can mimic the outcome of any virus or worm attack on a platform,
so they are a super-set.
This approach of focusing on manual hacker attacks, which do involve the
use of specific trojans, makes for a much more rich and balanced sample set
and study in our judgement.
If Linux or BSD have not had many malware breaches to date, it is more a
case of lack of interest on the part of malware writers to target those platforms,
as opposed to a deep technical reason why no malware can be written against
Linux or BSD systems.
Q. Explain why you treat malware attacks separately from other types of hacks,
DDoS attacks, automatic viruses, etc., when you present your conclusions?
A. Malware attacks are virus, worm and trojan attacks and they have the feature
of being automated or self-propagating. Serious examples of mass malware attacks
are restricted to Windows and do not carry through to Linux, BSD+Mac OS X
or for that matter other non-mainstream Operating Systems. Manual attacks
are much more sophisticated and are ubiquitous regardless of computing environment.
Therefore, this is a more fair criteria because it afflicts all mainstream
operating system platforms.
Q. How do you respond to this Rob Enderle quote: "BSD and Apple are
the least common for general use systems, so you would expect they would be
targeted less. Why try to penetrate a system that doesn't get you where you
want to go?"
BSD and Mac OS X machines are found in very critical deployments as well
and demonstrate highest uptimes in the real world when deployed in a 24/7
permanently online situation. We have a complete news alert dedicated to this
subject, see hyperlink.
Q. It still seems to me that you've been somewhat arbitrary in excluding
platform-specific malware from your study.
A. In the original news alert, the following paragraph deals with malware
The recent global malware epidemics have primarily targeted the Windows
computing environment and have not caused any significant economic damage
to environments running Open Source including Linux, BSD and Mac OS X. When
taking the economic damage from malware into account over the last twelve
months, including the impact of MyDoom, NetSky, SoBig, Klez and Sasser, Windows
has become the most breached computing environment in the world accounting
for most of the productivity losses associated with malware - virus, worm
and trojan - proliferation. This is directly the result of very insignificant
quantities of highly damaging mass-spreading malware being written for other
computing environments like Linux, BSD and Mac OS X.
Had the mi2g Intelligence Unit mixed malware attacks and manual hacker
attacks together in a cumulative count, there would be very strange comparatives
as we would be comparing apples and pears in terms of orders of magnitude
of 1:100 in some cases, 1:1,000 in other cases and 1:10,000 in extreme cases.
For every 1 manual hacker attack, where the target is 100% decapitated there
would be 100, 1,000 or 10,000 malware attacked targets - behaving anomalously
- with mostly 1% to 2% decapitation in terms of business critical services.
This is the dilemma in bringing everything together as you suggest, which
is why we had stated the paragraph above to create the clear separation in
favour of Linux and BSD.
On the other hand, if you still prefer a rough rule-of-thumb approach with
malware and manual hacker attacks conjoined like apples and pears in one basket,
the safest operating system environment would still be BSD + Apple Mac OS
X. Next would be Linux and then it would be MS Windows.
Q. Regarding your quote that "Many flavors of Linux out-of-the-box have
several critical ports left open." Do you have examples of these systems
with critical ports left open?
A. The most popular Linux distributions like RedHat and Mandrake can rely
on external programs, such as BastilleLinux, to achieve better security and
this is not a well known fact to the average user. Since many Linux vendors
have begun launching out-of-the-box workstations and network server installations,
those vendors have not introduced the concept of the security level as most
of them are concerned that it will affect their user numbers and rapid adoption.
This results in many insecure file permissions and unnecessary ports being
left open in default installation mode.
Some distributions have gone even further to attract users from Windows environment.
For example, Linux Mandrake has included one option to allow users to boot
their Linux systems directly into their desktop without authentication, and
it mimics the behaviour of Windows when its user login option is disabled.
Some distributions have completely abandoned the design principles of Linux
as a multi-user operating system and use root privilege for users' daily system
operation by default and it is a very major security risk to run a computing
environment in administrator mode all the time.
Q. If Linux has so many security problems, why is mi2g running it?
A. We have a commitment to Open Source at mi2g and run many flavours
of Linux, three flavours of BSD as well as Apache, MySQL and PHP to fulfil
our design, engineering, intelligence gathering and dissemination requirements.
We find Open Source is flexible, cost effective and extremely reliable beyond
the initial steep learning curve which proved to be expensive in terms of
time and money and lasted two years.
Q. What else do you want to say? What should we ask you?
A. We would like to say more about the role of administration in determining
the safety and security of different computing environments. Some clear points
are made in this news alert, see hyperlink below (Note paragraphs 2 and 3
in particular and the whole article is worth reading as a background): http://www.mi2g.net/cgi/mi2g/press/020304_2.php
Other comments given by DK Matai
directly to the original
article (in blue Italics) in Linux Pipeline:
"The report really did everyone a disservice by not pointing out that
viruses are the main problem," Perens said.
When did we not point out the issue of viruses, which we group under malware?
We counted them separately and quote directly from the "Deep Study"
The last twelve months have witnessed the deadliest annual period in terms
of malware - virus, worm and trojan - proliferation targeting Windows based
machines in which over 200 countries and tens of millions of computers worldwide
have been infected month-in month-out. ...Global proliferation data from over
459 malware species since the start of 2004 has also been analysed.
"When someone studies a restricted subset of the problem and by looking
at that restricted subset makes the conclusion come out the opposite of what
it would otherwise be, we have to question the motivation behind the study."
Malware attacks are not very adaptive or intelligent on-the-fly. They are
always the same and work best within clone environments - same OS and application
suites. We wanted to look at the morphing threat where more sophisticated
problems may arise as a direct result of complex attacks, which are for the
moment manual and heading towards being automated.
Perens also noted that with the rise of Linux, the growing number of negative
reports and comments about the open-source operating system shouldn't come
as a surprise. "When you're on top, you're going to get hit more,"
We have been extremely positive about Linux in the malware department. Who
is really on top in market share terms? Linux or Windows?
Rob Enderle, principal analyst with the Enderle Group, also saw many problems
with the mi2g study. The firm's methodologies have been questioned
before on other studies.
Yes, and where accurate we have taken that bout of criticism on the chin and
dealt with it. Previously, the mi2g data for one month was considered
to be too small a sample and not representative of the global environment
within which different types of entities - micro, small, medium and large
- exist. We have addressed those concerns in the new study. The critics were
against the previous study which also came out in favour of Apple and BSD,
because the entrenched supporters of Linux and Windows felt that mi2g
was guilty of 'computing blasphemy'. In subsequent months, mi2g's reputation
was damaged on search engines and bulletin boards where Mr Enderle is getting
his thoughts from. We would urge caution when reading negative commentary
against mi2g, which may have been clandestinely funded, aided or abetted
by a vendor or a special interest group.
Enderle said: "They tend to do a lot of things that seem to be targeted
at being media events and are not considered to be particularly credible as
a result . . . they are trying to make headlines, and my guess is they were
Not true; we are trying to put forward the user perspective on different computing
environments. The press coverage of security tests and safety reports appears
to be by and large vendor centric and market share orientated. We disagree
with that classical approach. We prefer a relativistic approach to computing
safety and security.
"In addition, BSD in particular is generally used by groups that have
a very high percentage of highly competent professionals, so it tends to be
deployed in ways that are inherently more secure," Enderle stated. "What
concerns me the most about this though is the omission of Unix, which is prevalent
and should have numbers that fall between the two distinct groups.
Elimination of UNIX in the mi2g study? Not so... BSD and Linux are
both mainstream *NIX.
The . . . conclusion may simply be that widely deployed systems used by large
numbers of poorly trained people are inherently insecure," Enderle continued.
"[mi2g's] conclusion that these results are based on the platforms
alone is questionable, because they have not normalized the populations based
on skills and usage."
We do not feel that the normalisation argument is fair because we have gone
and looked at real life computer breaches of machines connected on a 24/7
basis across micro, small, medium and large organisations. Does a normalised
demographic or sex group perform better at administration?
The real conclusion is that different distributions of Linux and unclear methodologies
for applying patches and security regimes have been behind the high number
of Linux breaches. Many flavours of Linux out-of-the-box have several critical
ports left open.
Bruce Schneier, CTO of Counterpane Internet Security, had not yet studied
the report, but said the conclusions "certainly sound suspicious."
Why so? It should not be a big surprise or be suspicious. The BSD OS has been
developed slowly and carefully. All code additions are carefully scrutinised
by a committee of developers before being committed into the main tree. Linux
development has become increasingly chaotic because there are too many distributions
vying for market share. Linux advocates often mention the "many eyes"
of open source and yet they do not appear to have sufficient levels of peer
code review. Open BSD is one of the most secure BSDs and is used in many high-end
network routers/switches which come under constant attack because they are
on the frontline of any organisation.
mi2g appeared to anticipate criticism of its study. "We would
urge caution when reading negative commentary against mi2g, which may
have been clandestinely funded, aided or abetted by a vendor or a special
interest group," it said in a press release publicizing the study.
Yes, we did.
17th November 2004 - Full compendium
of mi2g speeches released on web
12th November 2004 - Deep study: The ongoing Linux Attacks
6th November 2004 - Experts challenge mi2g security
study: mi2g response
5th November 2004 - The relativistic approach to safety
- uptime versus market share
2nd November 2004 - Deep study: The world's safest computing
24th March 2004 - Five solutions to the rising identity
theft and malware problem
2nd March 2004 - Disturbing the sanctity of the Linux
19th February 2004 - The World's safest Operating
Security News: mi2g defends its Linux claims - Insecure.org
defends its Linux claims - Virus.org
its Linux claims - The Inquirer
DK Matai with Linux/Security Pipeline - Linuxtimes.net
interview of DK Matai with Linux/Security Pipeline - LinuxSecurity.com
interview of DK Matai with Linux/Security Pipeline - eBCVG IT Security
Mac OS X is much more secure than Linux or Windows - MacDailyNews
over OS security survey - ITWeb
Sysadmins Leave Linux Security Lacking - InternetWeek.com
Sysadmins Leave Linux Security Lacking - CRN
Admins Leave Linux Vulnerable To Security Breaches - Information Week
is 'most breached' OS on the Net, security research firm says - ARNnet
is 'most breached' OS on the Net, security research firm says - LinuxWorld
is 'most breached' OS on the Net, security research firm says - ComputerWorld
company defends Linux-is-vulnerable survey - HNS
worlds safest computing environment - TechCentral
Experts challenge mi2g security study - eBCVG IT Security
Pro: Security Company Defends Linux-is-Vulnerable Survey - linux today
Linux Is Least Secure OS - WindowsITPro
Most Breached OS, Says New Report - CXO Today
Mac OS X most secure, Linux least - ITWeb
OS X, BSD Unix top security survey - Neowin.net
OS X, BSD Unix top security survey - Computer World
OS X World's Safest OS From Security Attacks - MacNewsWorld
Recommends Mac OS X as Safest OS - Slashdot
OS X, BSD Unix top security survey - MacCentral
Mac OS X Good, Linux Bad - eBCVG IT Security
Apple's Mac OS X 'world's safest and most secure' operating system - MacDailyNews
OS X World's Safest OS From Security Attacks - the Mac Observer
safest computing environment - eBCVG IT Security
OS X - 'world's safest' - Macworld Daily News
world's safest computing environment - TechCentral
is at the leading edge of building secure on-line banking, broking
and trading architectures. The principal applications of our technology are:
2. Digital Risk Management
3. Bespoke Security Architecture
pioneers enterprise-wide security practices and technology to save
time and cut cost. We enhance comparative advantage within financial services
and government agencies. Our real time intelligence is deployed worldwide for
contingency capability, executive decision making and strategic threat assessment.
Research Methodology: The Frequently Asked Questions (FAQ) List
is available from here
in pdf. Please
note terms and conditions
of use listed on www.mi2g.net
Full details of the October 2004 report are available as of 1st November
2004 and can be ordered from here.
(To view contents sample please click here).