The World's Safest Operating System

fredrikr writes "UK-based security firm mi2g has analyzed 17,074 successful digital attacks against servers and networks. The results are a bit surprising. The BSD OSes (including FreeBSD and Mac OS X) proved to be the systems least likely to be successfully cracked, while Linux servers were the most vulnerable. Linux machines suffered 13,654 successful attacks, or 80 percent of the survey total. Windows based servers enjoyed a sharp decline in successful breaches, with only 2,005 attacks."

Fun and games with statistics

From the article: "The group discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide. It confined the study to overt digital attacks by hackers."

This is not the best way to conduct research. When I was doing research at NIH we would say of this sort of thing, "After discarding all data to the contrary, the hypothesis was proven."

While this research may show that Linux servers are over-represented in overt acts of hacking, this does not statistically make the Linux OS the least secure. Attacking a particular system simply makes it popular for attack. In order to characterize Linux, or any other OS, as the least secure, there would need to be evidence that an equal amount of other OS's were unsuccessfully attacked or the success rate was lower. Other variables that would required controls would be the hacker, level of sophistication of attack, etc. etc.

To say that "...while Linux servers were the most vulnerable,,," only means that they may have been the most targeted. I am not saying that the conclusions of this research are incorrect, I am saying that from what I have read, they cannot come to those conclusions.

Keep Smiling!

Erick

Re:Fun and games with statistics

I agree with this comment whole-heartedly. It seems like what they have proven is that hacking Linux actually requires human intervention while Windows can by hacked automatically. I guess that shows why Windows is the easiest to use :) Can anybody else envision a world where clippy offers to crack a box for you when you have "forgotten" your password?

Overt vs Covert

Don't forget, they're also only counting Overt attacks, I.E. Verified ones... ones that leave a trace. It could very well be that all of those windows or OSX boxes were at some point Owned, but that the attack was so successful as to not leave a trace. It also requires "modification to any of its publicly visible components whilst executing...data attacks... [or] command and control attacks."

They also don't list their methodology, which I find disturbing. Out of 17k successful, caught, non-automatic hacks, x were against these systems. However, they don't say where those 17k come from, and don't put it in the perspective of the percentage of those systems in use. If you go to their homepage, they list something called a SIPS (Security Intelligence Products and Systems) System. This data comes from "Personal Relationships at CEO, CFO, CIO, CISO level within the banking, insurance, and reinsurance industry... monitoring hacker bulletin boards... and anonymous communication channels." That's a pretty unscientific pool to be pulling data from. Essentially, you're talking about hacks that were either reported by friends in high places, friends in low places, or bragged about by hackers on publicly accessible bbses.

So if you want to take the survey methodology seriously, then the survey proves beyond a shadow of a doubt that Linux has more non-automated attacks involving changing publicly accessible interfaces that were caught and reported by friends to mi2g.

Re:Overt vs Covert

Hmmm, lets do some in-depth research of our own, then: Slashdot poll!

The last thing I hacked was:

• *BSD
• Linux
• OSX
• Windows
• Unix
• Teh Gibson!

I'm sure it would be at least as accurate ;)

Re:Overt vs Covert

The last thing I hacked was Cowboy Neal.

Re:Overt vs Covert

You stay out of Cowboy Neal's backdoor!

Re:Overt vs Covert

Don't forget, they're also only counting Overt attacks, I.E. Verified ones... ones that leave a trace. It could very well be that all of those windows or OSX boxes were at some point Owned, but that the attack was so successful as to not leave a trace.

Exactly how would you discover an attack that was so successful as to not leave a trace? By definition such an attack cannot or has not yet been discovered or traced. Leaving them out is both inevitable and fair, because there are attacks against Linux that are similarly undiscovered.

So if you want to take the survey methodology seriously, then the survey proves beyond a shadow of a doubt that Linux has more non-automated attacks involving changing publicly accessible interfaces that were caught and reported by friends to mi2g.

I understand that anytime somebody publishes a Top N List the urge to compete externally is great, but why not ignore the others and simply use this as a data point to improve oneself?

Re:Overt vs Covert

Wow, "flamebait" and "overrated" within minutes.

The original post reminded us not to forget that Windows or OS X boxes could have undiscovered exploits. I'm reminding that Linux can also have undiscovered exploits. By definition, we cannot know how many undiscovered exploits there are in each OS, so we cannot quantify and compare them. Therefore, we must ignore them and talk about the known exploits. Flamebait?

If anything will destroy Linux, it's fanboy groupthink that the OS is invulnerable. Every choice has a downside. Deciding to leave a service off by default probably makes it more secure, though less convenient. When there are numbers like these presented, it's exactly the time to review such choices to see if they are the right choices to make for your users. Flamebait?

Re:The things you seem to not understand.

The same thing you just said could be said about any OS! Instead of "deny everything" try to explain why these numbers are wrong for Linux and not for the other OSes.
Every time some evidence of any UNIX, and especially Linux, being unsecure comes up there are people declaring that the evidence is faulty because UNIX is secure...

Though this will propably be moderated as flamebait I must say that if you take the same care to secure your windowsboxes as you do with your UNIXboxes you will be rewarded with, surprise, secure boxes all over. Windows isn't inherently insecure as well as UNIX secure.

Re:Overt vs Covert

Totally agreed. Linux's worst enemy is the Linux boosters who think it's perfect. I'm exhausted, but I'll try and share an anecdote.

I was up all night last night securing a Debian webserver. Maybe I pushed the wrong buttons, but when that box first booted up a port scan lit it up like a christmas tree. SSH was open, but so was RPC, Finger, FTP, time, LPD, SMTP, and Telnet. Frickin' TELNET! OS X doesn't even come with a telnet server!

This was my first Debian box, so it took quite a while to learn the ropes so that I could hunt down and properly squash all of these open ports and set up some firewall rules. Sure, a knowledgeable Linux guy could have done this a lot faster. I came from the OS X world, though, so I had a lot of catching up to do.

The BSDs don't let newbies make those kind of mistakes. Set up a Mac with all of the defaults, and it's secure. OpenBSD and FreeBSD don't have squat enabled by default. Linux is great, but it still contains a LOT of pitfalls for new admins and users. These security issues are going to get worse as Linux becomes more popular.

Re:Overt vs Covert

Be sure to LART the person who installed it for you. telnetd is not part of Debian's base installation, so it had to have been manually added later.

Re:Overt vs Covert

Debian default install puts in pretty much nothing, if I recall. To have all those things enabled, somebody had to install them. To be fair, that's pretty easy to do, since like I said, you get *nothing* to begin with, so the tendency is to start blindly installing things from dselect.

Re:Overt vs Covert

Frickin' TELNET! OS X doesn't even come with a telnet server!

Sure it does... It's not enabled by default, and as far as I know, there's no GUI to enable it, but it certainly comes with telnetd preinstalled:

greyfox ~% uname -a
Darwin greyfox.azeotrope.org 6.8 Darwin Kernel Version 6.8: Wed Sep 10 15:20:55PDT 2003; root:xnu/xnu-344.49.obj~2/RELEASE_PPC Power Macintosh powerpc
greyfox ~% ls -l /usr/libexec/telnetd
-r-xr-xr-x 1 root wheel 50012 Jan 18 02:05 /usr/libexec/telnetd*
greyfox ~% grep telnet /etc/inetd.conf
#telnet stream tcp nowait root /usr/libexec/tcpd telnetd

Re:Overt vs Covert

Speaking as someone who has installed a lot of linux systems for other people: "Oooh! Shiny thing" syndrom is a major problem.

Lots of people will see services such as FTP, MAIL, NFS, SSH, WEB and think "That might be useful," or "That might be fun." They enable a small shitload of services, then never bother to update or use them.

By forcing a person to pay special attention before making a service available to the world (For instance, sendmail will only listen on 127.0.0.1 by default on RedHat) you force them to learn a little somthing about that service. You also make it undesireable for them to enable a lot of things that they have no hope of using.

IMO, "Install Everything" is far too tempting for many people, and far too insecure. The number of linux breakins would go down considerably if distributers would simply force people to enable a service after they install it.

I personally think that the Linux distrobutions avoid it to make things easier, and to improve people's linux experience. "Hey! I have a webserver running after 5 minutes! Neat! This linux stuff is easy." (I sure was that way when I got into Linux.) : \

Re:Overt vs Covert

Ladies and gentlemen, the end of the world has arrived. Debian has been criticised because it's too easy to install. :)

Re:Overt vs Covert

1. Don't forget, they're also only counting Overt attacks, I.E. Verified ones... ones that leave a trace. It could very well be that all of those windows or OSX boxes were at some point Owned, but that the attack was so successful as to not leave a trace.

That's one thing that really bugs me about information available to monitor Windows (from log files to dynamic data).

What I can find in depth, by default, and easily on Linux is a real chore to locate or (in the case of the standard log files) typically useless.

It must take an excessive amount of effort and forsight for serious monitoring of a Windows system and even then is it trustworthy? The defaults just don't record/show enough.

Re:Fun and games with statistics

No it doesn't. It reads as shades of grey. "Here, let's discount all the big problems/hacks that are affecting Windows. My, now it looks much more secure then Linux."

Furthermore, given how quickly a potential problem can be fixed in Linux, as opposed to the "wait, and wait, and wait some more" approach to the MS Service Packs, I'd have to say that the methodology used to reach at least some of the conclusions in the article is seriously flawed.

Kierthos

Re:Fun and games with statistics

You got it all wrong, there's no problems or hacks in Windows. Coming pre-hacked is a feature!

Re:Fun and games with statistics

Furthermore, given how quickly a potential problem can be fixed in Linux, as opposed to the "wait, and wait, and wait some more" approach to the MS Service Packs

I think nows a good place to post a link to eeye's upcoming advisories page [eeye.com]

Re:Ohmygawd, Root is a Security Flaw in Linux!

In windows terms, its bad because the person can Read, Write, Edit, and Delete any file on your computer. I think this is bad. If you do not log in as Administrator, you can still run things as admin without having to log out and without compromising as much of your machine. To do this, you need to make sure the "Run As Service" is enabled in your Administrative Settings/Services control panel. (While you are at it, disable telnet if you arent using it and also disable Remote Registry Service no matter what.) Once RAS is enabled, you can hold down the shift key and right click on anything in windows (a cmd shortcut even if you like the command line) and click Run As... then run it as Admin. Instead of running your WHOLE machine as admin, it will just run that one program (Maya, Half Life come to mind) as admin, and the things it uses. In my honest (and openly admitted unprofessional) opinion, this is better than running as root the whole time. I am not a security specialist, but I read a lot. I guess its possible if you are already owned to lose control through Run as Service if they already have your password. Im sure there are other problems with the service, but my understanding is that it is much better than rooting all the time, especially if you use a software firewall and have DSL or cable. (Spammers)

Im not trying to dis your windows knowledge, but if you dont know about run as service, chances are you would never know if you got hacked either. If you really want to see how vulnerable you are, even after the windows updates, I suggest you download the Microsoft Baseline Security Analyzer [microsoft.com] and see just how vulnerable you have been running your machine. I just learned about this program, and it's a real shame they don't advertise it at least. Seems like a real useful one, even if it only has a few tests and probably has a lot of holes it doesn't check. There were at least 4 critical level downloads i needed to fix certain issues that DO NOT show up in windowsupdate for some stupid ass reason. Expect to have to read some technical information about problems and search/find it yourself at microsoft.com for the updates. Something about MDAC, which I'm not too familiar with.

Disclaimer: I am not a MS shill, I just like to play games. (And this is not a sig, this is reference to MS and this security post.)

Re:Ohmygawd, Root is a Security Flaw in Linux!

I suggest you download the Microsoft Baseline Security Analyzer and see just how vulnerable you have been running your machine.

Thanks for the reminder. I ran it on my mom's XP box last time I was there, but forgot to run it here until now.

It was kind of funny. First, it wouldn't work because the Server service wasn't started. Well, it's not running because I don't need it, and it's stupid to run it if you don't need it. ;-) But I was able to turn it on and run the analyzer (and then turn it off as soon as it was done).

It found three security updates I needed (including the MDAC one, which did show up on Windows Update for me, for some reason). So I was a bit out of date. But the other stuff it found was all "Yeah, I know, I set it up that way on purpose." Stuff like:

- One of the accounts has a blank or short password. (That's the Guest account, which is disabled.)

- None of the passwords are set to auto expire.

- Auto-logon is configured for at least one account. (This is my home machine. If my hubby needs to get into my computer account, I don't want to have to give him one of my passwords. If someone breaks into our apartment, I have bigger worries than whether they can get into my Windows box.)

- Automatic Updates is not configured properly. (I'm philosophically opposed to having my computer download things without me telling it to, and I know that in some cases this makes me more vulnerable... it's a risk I chose to take.)

- Not all hard drives are using the NTFS file system. (No, my 8GB 5400 RPM drive that I keep around for backups when I reinstall the OS is still FAT32. I'm lazy. One of these days, I'll get a new SATA hard drive, and my current main drive will become backup. Everything will be all better then. For one thing, I'll probably switch to Linux at that point, unless another cool MMOG comes out.)

- Restrict Anonymous. This is the ONLY surprise that showed up on here. I'd never heard of this before, and have since changed the registry setting.

- Telnet service is installed. But it's disabled, so no worries there.

So, I feel fairly good about how secure my box is. The MBSA served to reassure me in this case. I'll still feel safer when I switch away from Windows, if only because I'll be less of a target.

Re:Fun and games with statistics

More like "Let's discount all the stuff that rely on TOTAL DIPSHITS to execute on their own computer."

So every one of those worms required a stupid user to execute it?

Bullshit.

http://securityresponse.symantec.com/avcenter/ve nc /data/w32.blaster.worm.html

"W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135"

That is not anything near 'rely on TOTAL DIPSHITS'.

This particular worm actively broke into the machine remotely. Discounting it for a study like this is nothing but 'let's throw away data until we've proven what we want', as other posters have noted.

Slashdotters react predictably

Okay, this is the SECOND study posted to Slashdot that has shown that Linux is the most breached operating system on the Internet.

If it were shown to be Windows, nobody would be arguing, but because there is insane bias around here, we get lots of yimmer-yammer trying to run circles around the data.

How many studies have to come out before Slashdotters stop proclaiming Linux as the magic security solution? GNU was hacked twice last year, and GNOME, Debian, and Gentoo were all hacked. What gives?

Just my two cents. I'm compiling Gentoo right now...I love Linux. But I'm not so naive to pretend it's the end-all solution. I haven't read all the comments, but I fully expect to read the same, typical, anectdotal bullshit--"Well, where *I* worked..." or "Well, *I* spend more time on Windows patching..." or "Well, if *I* were conducting the study, I would..."

Re:Slashdotters react predictably

You're absolutely right, no OS is secure. The only defense OSS has is that patches can be released quickly, while Microsoft took 200 days to fix ASN.1 (for which a similar problem was found and fixed very quickly in the BSDs and Linux last March).

How many large companies/organizations running Windows where hacked last year? The point is, most companies/organizations don't report IT security breaches, certainly not like GNU did. If you have a high-profile company, and someone with enough skill wants to, you WILL be hacked eventually, regardless of your choice of OS. Most blackhats don't have the skill level that the GNU attack took, and even that probably could have been prevented, but there is a tradeoff between high security and convenience, and a 0day exploit is hard to stop, unless you can stay awake 24/7 and process incoming ethernet frames in your head fast enough to determine their intent before forwarding them.

I personally would rather be attacked once a month and know of the attack instantly than be attacked once a year and not know. Security starts at the power outlet, once you plug a machine in, you're vulnerable. (And no, you can't have my netblock range)

One nit on this...

...not that this means you don't have to patch your box. But all major distros these days make that really painless. Or at least a lot less painful than Windows.

Just one bit that I'd say this is not quite on the mark in this closing statement: Windows makes it easy to patch a machine for the consumer, one box at a time; they make it easy for corporate customers with tools that can push updates onto boxes (although the required reboots are an issue unto themselves). Please correct me if I'm wrong, but I'd venture a guess that the issue is that you don't have these tools because they cost money that isn't easy to justify for the number of Windows servers you have.

The major problem as I see is is exactly what another poster stated -- that vulnerabilities may exist for months before a patch becomes available from Microsoft, and we may not be informed of them in a timely manner. The sheer number of ways that a Windows machine may be vulnerable for variable periods of time seems to me to be orders of magnitude greater than any Open Source package or the Linux kernel itself.

The ease of patching vs. the costs of doing so is a very valid reason (among many, obviously) for choosing one operating system over another. But to me it's far more important to know when a vulnerability exists and when a patch will be available. Windows loses in this regard, hands down.

Disclaimer: IANASBIPTBOOS

- Leo

Re:One nit on this...

"Wasn't the Linux kernel just patched for a number of serious bugs that existed since 2.2? Seems to me Linux is no different than Windows in this respect"

An honest concern -- we were all pretty shaken up with the rash of security patches to Linux software a couple months back. Howver, the good majority of these were local exploits, e.g. preventing one user from taking over the entire system. Windows hardly has a concept of local security; almost all of the problems you hear about for Windows are remote exploits, the really dangerous ones.

Secondly, taking a look at the exploits for Linux, most are much more involved than Windows. Often a Windows system can be cracked with an easy ordering of instructions or a basic buffer overflow. On the other hand, Linux security holes often involve very carefully crafted buffer overflows that go through more than one round of manipulation and usage before the crack happens.

Thirdly, when Linux folks know of a Linux bug, everyone tends to hear about it immediately. Microsoft has been known to sit on issues for months (or years!).

There are exceptions to every rule, and generally security depends on the Admin -- but with Windows, there is a limit to how secure you can make your box.

Cheers

The point the article makes, however, is...

Company executive chairman DK Matai said: "The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers. Migration to Open Source can be fool's gold without adequate training and understanding of the impact that third party applications have on overall safety and security."

Perhaps we should be focusing more on tech support and help files?

Re:Results of *my* survey...

..not that this means you don't have to patch your box. But all major distros these days make that really painless. Or at least a lot less painful than Windows.

I disagree with that from personal experience. On Windows - Control Panel, automatic updates - enable. That's it.

Fedora from GUI:
Run up2date
Be told you are not registered. Click ok.
Choose what updates you want. Select all, start the process.
Process freezes either before it starts, during, or near the end, OR you are told a package has been tampered with (when really it's just corrupt). Solution: patch one package at a time (which is a $@ing PAIN in the arse). I have Fedora boxen unpatched simply because the patch system is fsck'd.

Fedora from command line:
[root@dredd root]# up2date
Your GPG keyring does not contain the Red Hat, Inc. public key. Without it, you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat.

Your Update Agent options specify that you want to use GPG.

To install the key, run the following as root:

rpm --import /usr/share/rhn/RPM-GPG-KEY

[root@dredd root]# rpm --import /usr/share/rhn/RPM-GPG-KEY
[root@dredd root]#
[root@dredd root]# up2date
Your GPG keyring does not contain the Red Hat, Inc. public key. Without it, you will be unable to verify that packages Update Agent downloads are securely signed by Red Hat.

Your Update Agent options specify that you want to use GPG.

To install the key, run the following as root:

rpm --import /usr/share/rhn/RPM-GPG-KEY

[root@dredd root]#


Yeah - MUCH easier than Windows. Not.

Re:Results of *my* survey...

Your survey is skewed because you're completely clueless about linux. It was funny, yet somehow sad, to read of your slapstick antics just now.

With any supported redhat, clicking on up2date does the trick - without the paid rhn though, you will not be able to get the same service - but guess what, you use apt or yum and get all the same updates. once apt is installed, just say "apt-get install synaptic", and from then on, you can point and click you way through package installs from the various software repositories available.

Firstly the original poster claimed that all major distros had an easier patch system than Windows. I disagreed and posted my personal experience. This is reinforced by you tellimg me that I now have to PAY to get a reliable easy to use patch system (Windows updates always have been free). Secondly are you now suggesting that the fact people have to work out how to patch the box is easier than Windows Update and automatic updates?

I disagree. Ease of use is the point of this discussion, not that it can be made to work with a lot of pissing around.

Re:Fun and games with statistics

It sounds like you are missing the point or trolling. What this study shows is that Linux can often be cracked if somebody takes the time to target it. As opposed to Microsoft Windows, where a single person can take over millions of systems at once with a worm or virus.

Re:Fun and games with statistics

...wasted on time you could have been patching Linux.

I don't believe that the majority of the linux hacks were due to flaws in the operating system as much as they were probably caused by misconfigurations by the people setting up those systems. Windows, on the other hand, comes with lots of holes built right in for you; no user intervention required!

Re:Fun and games with statistics

A good quote from the MacWorld article

"Company executive chairman DK Matai said: "The swift adoption of Linux last year within the online government and non-government server community, coupled with inadequate training and knowledge on how to keep that environment secure when running vulnerable third party applications, has contributed to a consistently higher proportion of compromised Linux servers. Migration to Open Source can be fool's gold without adequate training and understanding of the impact that third party applications have on overall safety and security."

As others have said, poor configurations caused the most problems for the linux machines.

Re:Fun and games with statistics

This has been the fatal flaw for any widely deployed OS, including Microsoft. What kills me is that it's okay when it's linux, but it's an inherent flaw when its Microsoft. Linux is not that hard to use anymore, so that's not an excuse. And securing Microsoft or Linux takes a skilled professional, not your secretary's son, but that's who usually ends up doing the work. I personally ran a network of 65 Windows servers for years without a single breakin. Not one. After I was laid off so the CFO's kid could take my place (he was tech support) the network went from 99.9% uptime to 94% uptime with an average of 2 breakins a month. Go figure. But hey, they supposedly saved money in the long run, eh?

Re:Fun and games with statistics

"last year" is pretty irrelevant, as mi2g came up with exactly
the same report in 2002.

http://archive.infoworld.com/articles/hn/xml/02/ 10 /21/021021hnvulnerable.xml

DK Matai is simply trying to spin the same propaganda that he did in 2002 with the pretense that it contains pertinant information. On the whole it doesn't - looking at the bottom line -- the dollar -- it's the MS exploits alone which are having any real effect in the real world.

Sure, to pretend that Linux systems are magically impenetrable is equally not in the real world, but I think things need to be put in perspective.

Also - do sysadmin misconfigurations (e.g. setting anonymous ftp with access to all areas) count as an exploit? It's not the OS's fault if a human has selected a brain-dead configuration.

YAW.

Re:Fun and games with statistics

Please. Black and white it most certainly is not. While the information should make us Linux zealots sit up and pay attention, this article doesn't really say anything at all. They didn't tell us the proportions of systems tested, and they threw away automated breaches (and they might have thrown away targeted attacks accomplished through automated/worm means--they didn't give enough information to tell). Without knowing how many systems of each type were present, it's pretty meaningless to give figures based on numbers of systems breached.

For example, the results in the article could be describing a scenario where all machines on their network were breached, and each of those attacks corresponds to a different machine. So they have 13k Linux machines and 2k Windows machines. Would that tell you that Linux is less secure? Not really. It would have been slightly more meaningful to tell us what percentage of attacks on any given system succeeded and failed. It could also be the case that they keep all their important data on the Linux servers, so not many people are trying to break into the Windows boxes. We just don't know, because the article doesn't tell us anything.

Yes, Linux folks should work harder on security. No, this article doesn't really say anything in particular definitively.

P.S. I just looked at the article again, and it says they, "discounted the recent wave of worms, viruses and other attacks that have affected Windows systems worldwide" [emphasis mine]. So yes, from that statement, they actually just discarded all the data on Windows. I kind of doubt that they actually did that, but that's what the article tells us. I guess from that you could say that Linux hackers rely on holes that aren't widely known, whereas Windows hackers just use the same holes that everyone else is using.

Re:Fun and games with statistics

You're kidding, right? The main /problem/ with Windows is the number of (often hidden) servers that are running by default. UPnP, DCOM, Windows Messenger, etc, etc, etc.

Re:Fun and games with statistics

I meant hidden in the sense that they're not always in the usual place (the services MMC). The DCOM RPC mapper (think Welchia, etc) needed to be turned off in the DCOM manager, which is only accessible via an obscure command.

If there was a server on a Linux machine that was started in some obscure shellscript instead of the usual init.d (or whatever your system uses) scripts or inetd, I'd describe it as hidden too.

Re:Exactly what I was thinking

considering the source [attrition.org] of the study, I wouldn't [infowarrior.org] give it a lot of credence.

Re:Fun and games with statistics

To say that "...while Linux servers were the most vulnerable,,," only means that they may have been the most targeted.

We all know the average Linux user is more likely to tamper with his setup and run non-model-user applications, like their very own webserver. They are likely to know few things about proper server security, and therefore their servers are more vulnerable.

Windows users are less likely to run a webserver, simply because they're not as eager to play with their system as Linux users. Therefore there will be less insecure Windows servers. The same goes for Mac-OS users.

What I want to know is the percentage of professionally installed and maintained servers that was actually vulnerable.

Re:Fun and games with statistics

It also characterizes linux as one big O.S. instead of a kernel...for all we know it could be counting people who install distributions that leave remote shell escapes wide open.

Re:Fun and games with statistics

Windows for home usage (95,98,me,2k,xp) does not come with a pre-enabled HTTP/FTP server, and most people don't even know it's there. Windows Server appearantly does (have no experience with it whatsoever), but i'd like to assume that installed Windows' for desktop outnumber the installs of the Windows Server family. Please correct me if I'm wrong.