Deep study: Full transcript of
Exclusive interview of DK Matai with Linux/Security Pipeline


London, UK - 12 November 2004, 14:15 GMT

[This exclusive interview with Mitch Wagner and Tom Dunlap at Security Pipeline in California succeeded the mi2g Intelligence Unit's response to Matthew McKenzie and Scott Finnie on 6th November to the Linux Pipeline article "Experts Challenge mi2g security study" authored by Tom Dunlap and published on 5th November. The resultant article was published on 12th November by Security Pipeline.]

Q. Would it be accurate to say this: Despite the current wave of viruses and other malware specific to Windows, mi2g's finding is that Windows is more secure - when configured correctly - than Linux? And Apple and BSD more secure than both of them?

A. In the real world environment, after having analysed more than 235,000 manual hacker attack breaches across homes, SMEs and large organisations, mi2g concludes that:

The Linux users are not configuring their machines correctly and as a result their platforms are breached more often than Windows and BSD. In specific, they are not downloading appropriate patches; are confused by the myriad number of distributions and associated directives; and appear to have a low number of highly trained administrators who know what they are doing. Many upgrades and critical patches are denied to certain Linux distribution users because they are running a free copy and have not paid for the Linux maintenance now being imposed by Linux vendors.

When configured correctly, Linux is more than capable of defending the large majority of manual hacker attacks. mi2g's confidence in Linux is well known and we run Linux on a number of mission critical platforms across our organisation but pay a lot of attention to administration issues and patching, which may not be obvious to the casual user.

Q. mi2g appears to believe that the virus and other malware attacks specific to Windows do damage for two reasons: (1) Windows is the most popular platform by far, making it a target of opportunity. And (2) Most users don't configure Windows software correctly. Is that correct?

It is true that most malware writers are opportunistic and target Windows because it accounts for a very large percentage of the global market share thereby giving their creation a greater chance of achieving its intended malevolence.

Most user may not have the latest Microsoft Windows patches downloaded, although even that risk profile is changing in favour of Microsoft as that software vendor spends more time and effort in educating their customer base.

The number of instances of Microsoft Windows machines being configured incorrectly is much less than the number of Linux machines we have found that have key ports open etc.

Q. We're still not clear on the central virus question, which is: How can mi2g, on the one hand, acknowledge all the damage caused by viruses, worms and other malware and, on the other hand, declare Linux - which is not susceptible to these attacks - to be more vulnerable than Windows?

A. As a specialist organisation with expertise in digital risk mi2g have studied the various forms of those risks very carefully over the last eight years. We have noted that digital risk manifests itself in six ways: overt hacker attacks; covert hacker attacks; DDoS; malware - virus, worm, trojan - proliferation; phishing scams and spam.

Spam, phishing scams and DDoS are completely target independent, ie, a system could be running BSD, Linux or Windows and those types of risk would be manifest regardless of underlying OS. This is the reason why we have not included those digital risks in our Deep Study comparative.

Malware attacks are platform specific. They are of enormous significance to Windows machines and pale into insignificance for Linux and BSD environments at present when measured from an economic damage perspective. When we examine malware attacks in detail, the maximum damage is caused by a very small number of mass spreading viruses and worms that exploit a standard configuration of Windows plus third party applications and rely on user innocence or naivety to propagate in many instances. Where user ignorance comes into play and where the threat is confined to one OS, it becomes difficult to justify making that the basis for a safety and security study where multiple platforms are being observed.

Overt and covert hacker attacks are, however, very specific and target all computing environments. They are also sophisticated and have enough complexity to be modified depending on the platform which they target. In theory, manual hacker attacks can mimic the outcome of any virus or worm attack on a platform, so they are a super-set.

This approach of focusing on manual hacker attacks, which do involve the use of specific trojans, makes for a much more rich and balanced sample set and study in our judgement.

If Linux or BSD have not had many malware breaches to date, it is more a case of lack of interest on the part of malware writers to target those platforms, as opposed to a deep technical reason why no malware can be written against Linux or BSD systems.

Q. Explain why you treat malware attacks separately from other types of hacks, DDoS attacks, automatic viruses, etc., when you present your conclusions?

A. Malware attacks are virus, worm and trojan attacks and they have the feature of being automated or self-propagating. Serious examples of mass malware attacks are restricted to Windows and do not carry through to Linux, BSD+Mac OS X or for that matter other non-mainstream Operating Systems. Manual attacks are much more sophisticated and are ubiquitous regardless of computing environment. Therefore, this is a more fair criteria because it afflicts all mainstream operating system platforms.

Q. How do you respond to this Rob Enderle quote: "BSD and Apple are the least common for general use systems, so you would expect they would be targeted less. Why try to penetrate a system that doesn't get you where you want to go?"

BSD and Mac OS X machines are found in very critical deployments as well and demonstrate highest uptimes in the real world when deployed in a 24/7 permanently online situation. We have a complete news alert dedicated to this subject, see hyperlink.

Q. It still seems to me that you've been somewhat arbitrary in excluding platform-specific malware from your study.

A. In the original news alert, the following paragraph deals with malware affliction specifically:

Malware proliferation

The recent global malware epidemics have primarily targeted the Windows computing environment and have not caused any significant economic damage to environments running Open Source including Linux, BSD and Mac OS X. When taking the economic damage from malware into account over the last twelve months, including the impact of MyDoom, NetSky, SoBig, Klez and Sasser, Windows has become the most breached computing environment in the world accounting for most of the productivity losses associated with malware - virus, worm and trojan - proliferation. This is directly the result of very insignificant quantities of highly damaging mass-spreading malware being written for other computing environments like Linux, BSD and Mac OS X.

Had the mi2g Intelligence Unit mixed malware attacks and manual hacker attacks together in a cumulative count, there would be very strange comparatives as we would be comparing apples and pears in terms of orders of magnitude of 1:100 in some cases, 1:1,000 in other cases and 1:10,000 in extreme cases. For every 1 manual hacker attack, where the target is 100% decapitated there would be 100, 1,000 or 10,000 malware attacked targets - behaving anomalously - with mostly 1% to 2% decapitation in terms of business critical services.

This is the dilemma in bringing everything together as you suggest, which is why we had stated the paragraph above to create the clear separation in favour of Linux and BSD.

On the other hand, if you still prefer a rough rule-of-thumb approach with malware and manual hacker attacks conjoined like apples and pears in one basket, the safest operating system environment would still be BSD + Apple Mac OS X. Next would be Linux and then it would be MS Windows.

Q. Regarding your quote that "Many flavors of Linux out-of-the-box have several critical ports left open." Do you have examples of these systems with critical ports left open?

A. The most popular Linux distributions like RedHat and Mandrake can rely on external programs, such as BastilleLinux, to achieve better security and this is not a well known fact to the average user. Since many Linux vendors have begun launching out-of-the-box workstations and network server installations, those vendors have not introduced the concept of the security level as most of them are concerned that it will affect their user numbers and rapid adoption. This results in many insecure file permissions and unnecessary ports being left open in default installation mode.

Some distributions have gone even further to attract users from Windows environment. For example, Linux Mandrake has included one option to allow users to boot their Linux systems directly into their desktop without authentication, and it mimics the behaviour of Windows when its user login option is disabled.

Some distributions have completely abandoned the design principles of Linux as a multi-user operating system and use root privilege for users' daily system operation by default and it is a very major security risk to run a computing environment in administrator mode all the time.

Q. If Linux has so many security problems, why is mi2g running it?

A. We have a commitment to Open Source at mi2g and run many flavours of Linux, three flavours of BSD as well as Apache, MySQL and PHP to fulfil our design, engineering, intelligence gathering and dissemination requirements. We find Open Source is flexible, cost effective and extremely reliable beyond the initial steep learning curve which proved to be expensive in terms of time and money and lasted two years.

Q. What else do you want to say? What should we ask you?

A. We would like to say more about the role of administration in determining the safety and security of different computing environments. Some clear points are made in this news alert, see hyperlink below (Note paragraphs 2 and 3 in particular and the whole article is worth reading as a background): http://www.mi2g.net/cgi/mi2g/press/020304_2.php

Other comments given by DK Matai directly to the original article (in blue Italics) in Linux Pipeline:

"The report really did everyone a disservice by not pointing out that viruses are the main problem," Perens said.

When did we not point out the issue of viruses, which we group under malware? We counted them separately and quote directly from the "Deep Study" news alert:

The last twelve months have witnessed the deadliest annual period in terms of malware - virus, worm and trojan - proliferation targeting Windows based machines in which over 200 countries and tens of millions of computers worldwide have been infected month-in month-out. ...Global proliferation data from over 459 malware species since the start of 2004 has also been analysed.

"When someone studies a restricted subset of the problem and by looking at that restricted subset makes the conclusion come out the opposite of what it would otherwise be, we have to question the motivation behind the study."

Malware attacks are not very adaptive or intelligent on-the-fly. They are always the same and work best within clone environments - same OS and application suites. We wanted to look at the morphing threat where more sophisticated problems may arise as a direct result of complex attacks, which are for the moment manual and heading towards being automated.

Perens also noted that with the rise of Linux, the growing number of negative reports and comments about the open-source operating system shouldn't come as a surprise. "When you're on top, you're going to get hit more," Perens said.

We have been extremely positive about Linux in the malware department. Who is really on top in market share terms? Linux or Windows?

Rob Enderle, principal analyst with the Enderle Group, also saw many problems with the mi2g study. The firm's methodologies have been questioned before on other studies.

Yes, and where accurate we have taken that bout of criticism on the chin and dealt with it. Previously, the mi2g data for one month was considered to be too small a sample and not representative of the global environment within which different types of entities - micro, small, medium and large - exist. We have addressed those concerns in the new study. The critics were against the previous study which also came out in favour of Apple and BSD, because the entrenched supporters of Linux and Windows felt that mi2g was guilty of 'computing blasphemy'. In subsequent months, mi2g's reputation was damaged on search engines and bulletin boards where Mr Enderle is getting his thoughts from. We would urge caution when reading negative commentary against mi2g, which may have been clandestinely funded, aided or abetted by a vendor or a special interest group.

Enderle said: "They tend to do a lot of things that seem to be targeted at being media events and are not considered to be particularly credible as a result . . . they are trying to make headlines, and my guess is they were successful."

Not true; we are trying to put forward the user perspective on different computing environments. The press coverage of security tests and safety reports appears to be by and large vendor centric and market share orientated. We disagree with that classical approach. We prefer a relativistic approach to computing safety and security.

"In addition, BSD in particular is generally used by groups that have a very high percentage of highly competent professionals, so it tends to be deployed in ways that are inherently more secure," Enderle stated. "What concerns me the most about this though is the omission of Unix, which is prevalent and should have numbers that fall between the two distinct groups.

Elimination of UNIX in the mi2g study? Not so... BSD and Linux are both mainstream *NIX.

The . . . conclusion may simply be that widely deployed systems used by large numbers of poorly trained people are inherently insecure," Enderle continued. "[mi2g's] conclusion that these results are based on the platforms alone is questionable, because they have not normalized the populations based on skills and usage."

We do not feel that the normalisation argument is fair because we have gone and looked at real life computer breaches of machines connected on a 24/7 basis across micro, small, medium and large organisations. Does a normalised demographic or sex group perform better at administration?

The real conclusion is that different distributions of Linux and unclear methodologies for applying patches and security regimes have been behind the high number of Linux breaches. Many flavours of Linux out-of-the-box have several critical ports left open.

Bruce Schneier, CTO of Counterpane Internet Security, had not yet studied the report, but said the conclusions "certainly sound suspicious."

Why so? It should not be a big surprise or be suspicious. The BSD OS has been developed slowly and carefully. All code additions are carefully scrutinised by a committee of developers before being committed into the main tree. Linux development has become increasingly chaotic because there are too many distributions vying for market share. Linux advocates often mention the "many eyes" of open source and yet they do not appear to have sufficient levels of peer code review. Open BSD is one of the most secure BSDs and is used in many high-end network routers/switches which come under constant attack because they are on the frontline of any organisation.

mi2g appeared to anticipate criticism of its study. "We would urge caution when reading negative commentary against mi2g, which may have been clandestinely funded, aided or abetted by a vendor or a special interest group," it said in a press release publicizing the study.

Yes, we did.


Related Articles:

17th November 2004 - Full compendium of mi2g speeches released on web
12th November 2004 - Deep study: The ongoing Linux Attacks fallout
6th November 2004 - Experts challenge mi2g security study: mi2g response
5th November 2004 - The relativistic approach to safety - uptime versus market share
2nd November 2004 - Deep study: The world's safest computing environment
24th March 2004 - Five solutions to the rising identity theft and malware problem
2nd March 2004 - Disturbing the sanctity of the Linux Church
19th February 2004 - The World's safest Operating System


Information Security News: mi2g defends its Linux claims - Insecure.org
mi2g defends its Linux claims - Virus.org
mi2g defends its Linux claims - The Inquirer
Interviews: DK Matai with Linux/Security Pipeline - Linuxtimes.net
Exclusive interview of DK Matai with Linux/Security Pipeline - LinuxSecurity.com
Exclusive interview of DK Matai with Linux/Security Pipeline - eBCVG IT Security
Apple's Mac OS X is much more secure than Linux or Windows - MacDailyNews
Furore over OS security survey - ITWeb
Sloppy Sysadmins Leave Linux Security Lacking - InternetWeek.com
Sloppy Sysadmins Leave Linux Security Lacking - CRN
Sloppy Admins Leave Linux Vulnerable To Security Breaches - Information Week
Linux is 'most breached' OS on the Net, security research firm says - ARNnet
Linux is 'most breached' OS on the Net, security research firm says - LinuxWorld
Linux is 'most breached' OS on the Net, security research firm says - ComputerWorld
Security company defends Linux-is-vulnerable survey - HNS
The world’s safest computing environment - TechCentral
mi2g response: Experts challenge mi2g security study - eBCVG IT Security
PC Pro: Security Company Defends Linux-is-Vulnerable Survey - linux today
Study: Linux Is Least Secure OS - WindowsITPro
Linux Most Breached OS, Says New Report - CXO Today
Survey: Mac OS X most secure, Linux least - ITWeb
Mac OS X, BSD Unix top security survey - Neowin.net
Mac OS X, BSD Unix top security survey - Computer World
Study: OS X World's Safest OS From Security Attacks - MacNewsWorld
Study Recommends Mac OS X as Safest OS - Slashdot
Mac OS X, BSD Unix top security survey - MacCentral
Security: Mac OS X Good, Linux Bad - eBCVG IT Security
Study: Apple's Mac OS X 'world's safest and most secure' operating system - MacDailyNews
Study: OS X World's Safest OS From Security Attacks - the Mac Observer
The world's safest computing environment - eBCVG IT Security
Mac OS X - 'world's safest' - Macworld Daily News
The world's safest computing environment - TechCentral

mi2g is at the leading edge of building secure on-line banking, broking and trading architectures. The principal applications of our technology are:

1. D2-Banking;
2. Digital Risk Management; and
3. Bespoke Security Architecture.

mi2g pioneers enterprise-wide security practices and technology to save time and cut cost. We enhance comparative advantage within financial services and government agencies. Our real time intelligence is deployed worldwide for contingency capability, executive decision making and strategic threat assessment.

mi2g Research Methodology: The Frequently Asked Questions (FAQ) List is available from here in pdf. Please note terms and conditions of use listed on www.mi2g.net

Full details of the October 2004 report are available as of 1st November 2004 and can be ordered from here. (To view contents sample please click here).

Renowned worldwide for the ATCA Briefings. Subscribe now.
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy