Experts Challenge Mi2g Security Study

Some Linux experts are questioning a report by British-based mi2g, which calls Linux the "most breached" computing environment worldwide, with Microsoft Windows placing a distant second.

The London-based security firm said its study analyzed more than 235,000 successful attacks against "permanently connected -- 24/7 online--computers" worldwide between November 2003 and October 2004. According to the study, computers running Linux accounted for about 65 percent of all recorded breaches, while Microsoft Windows-based systems accounted for about 25 percent of such attacks. Successful attacks against OS X and BSD-based online systems accounted for less than five percent of the worldwide total.

Virus Threat Overlooked

But the report has some gaping holes it its methodology, according to noted open source advocate Bruce Perens and others.

"It's pretty ludicrous that they didn't count viruses," Perens said. "Even their own study says that the financial impact of viruses on Windows is tremendously greater than the penetration on Linux."

Explaining his point further, Perens said, "The number of Windows systems penetrated by automatic viruses--rather than manual penetration that this report studies--is tremendously greater. Linux is still more secure, it's just the fact that this report doesn't count automatic viruses."

"The report really did everyone a disservice by not pointing out that viruses are the main problem," Perens said. "When someone studies a restricted subset of the problem and by looking at that restricted subset makes the conclusion come out the opposite of what it would otherwise be, we have to question the motivation behind the study."

Perens also noted that with the rise of Linux, the growing number of negative reports and comments about the open-source operating system shouldn't come as a surprise. "When you're on top, you're going to get hit more," Perens said.

The Price Of Success

Linux-based servers are commonly used to host a firm's Internet presence, with the open source Apache Web server commanding more than 64 percent of the market. Apache usually runs on Linux servers, although it can also run on other OSes.

The mi2g study adds to a growing list of challenges to the burgeoning open-source operating system. In August, an Open Source Risk Management report stated that Linux potentially infringes 283 software patents, although none have been validated yet by court judgments. Patent issues have caused significant concern among Linux users since the SCO Group sued IBM in March 2003, accusing IBM of moving SCO's proprietary Unix code into Linux.

Microsoft president and CEO Steve Ballmer has also taken the offensive, attempting to debunk every major Linux benefit with the company's "Get the Facts" campaign and a recent letter to customers.

"Suspicious" Conclusions?

Rob Enderle, principal analyst with the Enderle Group, also saw many problems with the mi2g study. The firm's methodologies have been questioned before on other studies, Enderle said: "They tend to do a lot of things that seem to be targeted at being media events and are not considered to be particularly credible as a result . . . they are trying to make headlines, and my guess is they were successful."

Asked what he questioned about the study, Enderle said, "BSD and Apple are the least common for general use systems, so you would expect they would be targeted less. Why try to penetrate a system that doesn't get you where you want to go?

"In addition, BSD in particular is generally used by groups that have a very high percentage of highly competent professionals, so it tends to be deployed in ways that are inherently more secure," Enderle stated. "What concerns me the most about this though is the omission of Unix, which is prevalent and should have numbers that fall between the two distinct groups.

"The . . . conclusion may simply be that widely deployed systems used by large numbers of poorly trained people are inherently insecure," Enderle continued. "[Mi2g's] conclusion that these results are based on the platforms alone is questionable, because they have not normalized the populations based on skills and usage."

Bruce Schneier, CTO of Counterpane Internet Security, had not yet studied the report, but said the conclusions "certainly sound suspicious."

Mi2g appeared to anticipate criticism of its study. "We would urge caution when reading negative commentary against mi2g, which may have been clandestinely funded, aided or abetted by a vendor or a special interest group," it said in a press release publicizing the study.