Furore over OS security survey

By Damian Clarkson, ITWeb junior journalist
Johannesburg, 12 Nov 2004

A number of open source advocates have spoken out against a survey that labelled Linux as the least secure system, pointing to "gaping holes" in its methodology.

European research firm Mi2g unveiled the survey findings last week, stating that BSD and Mac OS X are the most secure operating systems, while Linux was said to be the least. Microsoft was the second "most breached" but a long way behind.

But Mi2g`s decision not to count viruses has skewed the findings of the survey, says open source advocate Bruce Perens. "The report really did everyone a disservice by not pointing out that viruses are the main problem. Even their own study says the financial impact of viruses on Windows is tremendously greater than the penetration on Linux.

"Linux is still more secure, it`s just the fact that this report doesn`t count automatic viruses."

Novell SA business solutions architect James Thomas agrees that virus counts are a significant factor and urges the public to conduct research for themselves. "I absolutely find the statement that Linux is the least secure misleading.

"People must not simply believe what they read in the media. If you take 30 minutes to research this topic, you will find completely contradictory information. So you must ask what the motive is behind such surveys."

In a later interview, Mi2g executive chairman DK Matai conceded that Linux would have been rated more secure than Windows had they counted viruses, but said both would still be less secure than BSD and Mac OS X.

Matai also stood firm on the validity of the survey`s findings. While Windows is more susceptible to viruses and other automatically operating malware, Linux is more susceptible to targeted hacker attacks - and the hacker attacks are a more serious threat, Matai said.

Successful manual attacks do much more damage to their targets, even if they are far more rare than automated attacks, he added.

Another point of contention in the survey was the fact that the survey did not take into account the relative sizes of the various systems, meaning less common systems like Apple would be less attacked simply because they are less common, says Open Source Software Institute executive director John Weathersby.

"Now that Linux is growing on the desktop, it`s becoming a larger target. You will surely see more attacks on Linux. As the market matures you`ll have products that come to market that make it easier and more convenient to protect against hackers in a Linux environment."

However, Matai said BSD and Apple are not protected from attacks just because they are relatively rare compared with Windows and Linux. BSD and Apple are used in many mission-critical and high-security applications. "There are many genuine reasons to attack BSD and Apple," he said.