BSD and Mac OS X declared the world's safest operating systems

MacWorld ^ | February 20, 2004 | Jonny Evans

[HAL9000]

Apple's Mac OS X has been declared one of the world's safest operating systems by London-based security experts, mi2g.

The security firm's Intelligence Unit has run a comparitive study of the variety of operating systems available today. It states: "The world's safest and most secure online server Operating System (OS) is proving to be the Open Source family of BSD (Berkley Software Distribution) and Mac OS X based on Darwin."

It's also claimed that Linux has become the most breached online server OS in the government and non-government spheres for the first time, while the number of successful hacker attacks against Windows-based servers have fallen for the last ten months.

To arrive at its conclusions, mi2g analysed 17.074 successful digital attacks against servers and networks. It states: "With Linux accounting for 13,654 breaches, Windows for 2,005 breaches followed by BSD and Mac OS X with 555 breaches worldwide in January 2004."

The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers.

"For the first time, the number of recorded breaches against government servers running BSD or Mac OS X worldwide fell to zero in January 2004," the analyst said.

Company executive chairman DK Matai said: "The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers. Migration to Open Source can be fool's gold without adequate training and understanding of the impact that third party applications have on overall safety and security."

While offering Windows Server administrators some credit for seeing off many of the attacks, Matai reserved the real praise for Apple and BSD: "The real credit has to go to the developers and administrators of BSD and Mac OS X for maintaining such an excellent track record of the lowest number of breaches," he said.

[HAL9000]

The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers.

If viruses, worms and spyware are taken into account, Windows would easily surpass Linux as the most unsafe operating system.

[jscd3]

"The real credit has to go to the developers and administrators of BSD and Mac OS X for maintaining such an excellent track record of the lowest number of breaches,"

Not to mention the lowest number of users - think that these may be related?

Not that I don't enjoy a good Microsoft bash (include me on any list of people who reject the idea of an OS passing program and installation info back to the source company, or hate programs requiring remote registration in order to function), but the fact that Windows is so vastly and disproportionately the OS found on machines around the world probably influences what OS hackers and virus authors target.

[philetus]

But viruses, worms and spyware are very easy and free to protect against.

[MD_Willington_1976]

Yeah but how large is the market segment for BSD and Mac OS X...

Not trying to start any crap here, but most people I know, and most of the 600+ computers here at work are Wintel systems...6 sunspark machines that I know of and 4 are busted...The only power PC processors we use are in our peripheral cards we use for ethernet comms...

Later

MD

[chance33_98]

To arrive at its conclusions, mi2g analysed 17.074 successful digital attacks against servers and networks. It states: "With Linux accounting for 13,654 breaches, Windows for 2,005 breaches followed by BSD and Mac OS X with 555 breaches worldwide in January 2004."

What I am not seeing is how many of those systems exist out there for the attempts to occur in the first place. If there are only a 1,000 Mac OS X boxes that would mean over half had successful attempts (nothing against macs mind you, or bsd in general).

The more popular a system becomes the more people will use it and hack it, my main focus has been on solaris, redhat, and windows. There is nothing on the mac I want to bother hacking it in the first place ;)

Wouldn't mind a mac to round out my stuff (aix and hp-ux boxes are are almost ready at home, and soon suse and debian). The best computer is the one you use the most and get the most done with, the one you like.

[chance33_98]

I would recommend 'Security Warriors' for those wanting to have some fun with their systems. Very Enlightening book on hacking (and it certainly behooves one to know assembly language before taking on such endeavors, but this book gives a decent overview for those who don't or need a refresher).

[HAL9000]

If there are only a 1,000 Mac OS X boxes that would mean over half had successful attempts (nothing against macs mind you, or bsd in general).

The number of Mac OS X boxes is currently about 10 million.

[Liberal Classic]

The world's safest computer is the Commodore 64 sitting in my closet under a stack of Byte magazines.

[chance33_98]

To arrive at its conclusions, mi2g analysed 17.074 successful digital attacks against servers and networks.

Are those users (the 10 million)? This is referring to servers and networks in general (which is a tad vague - does this include home systems, do they mean networks run by those servers or networks which happen to have those servers on them, etc).

I run a data center with 1000 servers of various flavors, our defenses run from cisco to system software and so forth. Not trying to bash mac here - just saying that there are a huge number of variables (such as personal firewalls running and so forth) which aren't mentioned in the article. To me the best tests might be to have a hacker tournament with one of each online, with all the patches and such, and see how many different ways they can get into it.

I guess I am looking for too many specifics and it dosen't seem like a well controlled tests (and mac might be safest, which is cool too, would just like more information on things all around).

[Who dat?]

The number of Mac OS X boxes is currently about 10 million.

And nobody knows how many BSD boxes. Can only guess. Not too many in the U.S. but tons in Europe, Asia… all over.

There once was an ISP called Best.com in San Jose or somewhere. They were 100% BSD. Then they switched to (I’m thinking Sparc mini’s but that might not be right) and nearly went under. I think someone bought them shortly thereafter.

CDROM.com used to have the (supposedly) busiest ftp server in the world and it was a tweaked BSD box… don’t know whatever happened to them though…

I know nothing about OS X and haven’t followed BSD for years, but I remember at one time there was quite a bit of excitement among the developers concerning an Apple/BSD cross-development deal or partnership of some sort…

Then again, these are the same guys that have old Amigas sitting around for Video Toaster-ing projects or whatever they do…

[Britton J Wingfield]

You too, eh?

[Billthedrill]

Dang it, you beat me to it. So, has anyone ever heard of a virus affecting a CP/M machine?

I thought not.

[Doug Loss]

mi2g is not to be respected in any analysis they do. They have definite axes to grind. Take a look at this report and the user comments to see some reasoned critiques of their methods. For what it's worth, if they were serious in their analysis, the safest operating system would undoubtedly be IBM's OS390 or Unisys's OS1100 or some other mainframe OS.

[gregwest]

Having worked in military intelligence and information warfare, one of the things you take into account is the value of the information you're protecting. If the Mac OS is the least frequently breached, it's probably indicative that crackers assume there will be less valuable data to be accessed.

I agree, the number of systems penetrated alone isn't a good criteria. You have to look at the number of attempts and the amount of time spent trying to gain access. When it comes to cost/benefit analysis for security, you only need to secure some information until it is no longer valuable. For example, military weather info, ocean temperature charts, etc. might only require protection for so many days. Keys, codes, ciphers, intel sources, etc. require extensive (and expensive) security measures.

There is so much focus placed on securing networks that few people ever consider things like telephone security or properly disposing of waste. It doesn't do any good to secure the data on the network and then have someone transmit by it by voice over a Nextel or just a regular phone.

Anyway, the short story is that the OS is not the full consideration when it comes to security. Good security has many layers, the most critical of which is user training and good day-to-day security practices.

Greg West

[HAL9000]

For what it's worth, if they were serious in their analysis, the safest operating system would undoubtedly be IBM's OS390 or Unisys's OS1100 or some other mainframe OS.

It's possible to trash an IBM mainframe operating system (e.g. "Invalid PSW"). It's an interesting experience to watch a data center suddenly drop dead.

[Golden Eagle]

Congrats to Apple. Here's a report that shows their profits up significantly as well:

http://www.macminute.com/2004/02/19/profits

Hopefully they can hold off the threat that Linux poses to their market, but this article says Apple could now be running 3rd in worldwide desktop use.

http://biz.yahoo.com/bizwk/040213/b3871118mz063_1.html

If true the security mantle could be something that Apple holds for an extremely long time, as obscurity is certainly a significant element of security, although obviously only one piece.

[Golden Eagle]

For what it's worth, if they were serious in their analysis, the safest operating system would undoubtedly be IBM's OS390 or Unisys's OS1100 or some other mainframe OS.

Agreed including UNICOS and others. However this is still a reasonable argument for Apple in light of market size, user base, etc.

[Golden Eagle]

Anyway, the short story is that the OS is not the full consideration when it comes to security. Good security has many layers, the most critical of which is user training and good day-to-day security practices.

Good post. Also important to remember never to underestimate the hackers, since you have absolutely no idea who they may be and what their ultimate motives are. You simply do your very best, knowing that complete security is never an end state, but rather an eternal goal. goal.

[Bush2000]

Apple's Mac OS X has been declared one of the world's safest operating systems by London-based security experts, mi2g.

Unfortunately for you, these same guys also said that Linux is More Vulnerable Than Windows

[justlurking]

Unfortunately for you, these same guys also said that Linux is More Vulnerable Than Windows.

I think this is a problem worth investigating further. In particular, I'd ask:

1. Why was it limited to overt attacks (i.e. port scans and the like)? From the article: The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers.. I'm also curious exactly what consistitutes a "direct digital attach". Would "CodeRed" and "(SQL) Slammer" and the DCOM vulnerability meet that criteria? If so, those are still running around in the wild, and I've probably personally logged those attacks from more than 2005 unique hosts.

2. What's the sample size for each type of system, and what's the unit of measurement? Linux is widely used for hosting sites, as it has the capability for splitting a physical host into multiple virtual hosts. (this is beyond the simple web server configuration: many Linux hosting provider actually provide multiple complete environments, with root access to each) on a single server. The classification of systems (i.e. OS type and partitioning) could have a significant effect on the population. Anti-gun advocates have repeatedly used this form of statistical manipulation.

Excerpts of the full report are at: http://www.mi2g.net/cgi/mi2g/frameset.php?pageid=http%3A//www.mi2g.net/cgi/mi2g/press/190204_2.php. However, it is £881.25 (what's that in dollars, at the prevailing exchange rate?). Hopefully, someone will order the report and publish a more thorough analysis.

Personally, I've found that many hosting companies are not keeping their shared (virtual host) Linux system. Subscribers cannot easily keep their systems up to date on their own, if at all. I currently have this problem with a site that I administrate for my employer, and have been searching for a better solution. Meanwhile, I chose the distribution for my personal server because it was easy to keep it up to date.