Date: Fri, 20 Feb 2004 16:45:00 -0800
Subject: Yet Another Instance of mi2g's Incompetence...

Hash: SHA1

Nothing says 'infuriating' better than a publicly published report that
is seemingly rife with inaccuracies and conclusions drawn from poor data.
 As so kindly points out with historical evidence, mi2g
has a long history of lying and flagrant ineptitude with respect to the
general public:

In a report boldly titled "The World's safest [sic] Operating System,
" mi2g claims that of all attacks to a particular segment (and they seemingly
extrapolate this to mean the rest of the computing world at large), Linux
was the target of 80% of the overall attacks, Windows 12%, and BSD/OSX
a combined 3%.  From their website, and I quote, "The study also reveals
that Linux has become the most breached online server OS in the government
and non-government spheres for the first time, while the number of successful
hacker attacks against Microsoft Windows based servers have [sic, again..
hire a grammar checker before you publish reports, people... the article
here refers back to "the number," which is singular, and not "servers.."
this should be 'has' and not 'have'] fallen consistently for the last
ten months."

Excuse me?!  This is some of the most flawed logic I have seen in AGES.
 Read more of what I'm about to comment on here, first:

First of all, I question their data mining abilities --
should give you more than enough reason to feel this way as well.  Also
consider that these numbers, as always, only reflect the number of attacks
discovered and reported.  How many Windows boxes out there have been
compromised and are run by clueless admins who don't ever discover they've
been broken into?  Admittedly, there are also lots of Linux boxes, no
doubt, that are broken into and never discovered.  However due to the
ubiquity of Windows, I would venture to guess that there are a lot more
Windows boxes in this state.  I would *highly* suspect their number of
2,005 Windows attacks versus 13,654 for Linux.  Highly.  How about a
source for this, mi2g?

Not factored into the public details are the machine counts.  How many
deployments of each OS exist and are considered in the study?  DK Matai,
 the man who can't make up his mind what he's doing with his life, let
alone actually FINISH something, claims that "Windows administrators
deserve some credit for having consistently reduced the proportion of
successful online hacker attacks," but I would argue that as well, as
that only hinges on the initial flawed conclusion.

Let's consider the biggest, most glaring flaw in here.  "mi2g noted that
the numbers exclude attacks caused by viruses, worms and Trojan Horses."
 Excuse me?  I find this type of omission absolutely egregious.  How
can you completely discount a group of problems that comprise, by far,
 the most impactful of all security issues facing Windows admins today?
 Or did Mr. Matai and mi2g just not feel like finishing that part of
the report?  The number would be astronomical, comparatively, no doubt.
 And how does one appropriately separate attacks by malware from attacks
by individuals employing similar techniques?  We've all seen worms circulate
that were initially vulnerabilities turned script kiddie exploits - does
the average Windows admin know how to tell the difference if their AV
scanner doesn't pick it up initially?

Excluding these numbers here is not only a flaw, but it is indicative
of mi2g's baseless view on security -- in effect, they're saying these
things are just not serious enough to be included.  This is QUITE a dangerous
conclusion to make, because it leads to grossly inaccurate results --
 like this "report."  Look at the recently discovered Kaitex.E Trojan.
 It connects back to a computer and allows the originator to execute
arbitrary commands.  And that wouldn't be included?  That's far worse
to me than somebody getting 'nobody' access on a chrooted apache server,
 which if properly setup can't even modify a single file.  Or even worse,
 the recently discovered MyDoom.F, which not only includes a remote access
vector similar to Kaitex.E, but also deletes all local files with extensions
like .xls, .doc, .mdb, amongst others.  It also propogates across shared
network drives.  (
)  "So what?  It's low profile," you say?  So it hits only a few hundred
or few thousand hosts?  Well that's a few thousand machines that have
now lost potentially business critical data.  Ask their managers which
they'd rather have happen.

Now before anybody says a word about the hushmail source of this, I am
openly admitting that I am doing this solely because I work at a different
security company -- a real one, unlike mi2g -- and I do not want my employer
to be associated with derogatory statements against another.  Because
this is a personal concern of mine, completely unrelated to business.
 And I will admit to not having seen the actual full report, as I'm not
willing to pay over $40 for this drivel.  I can't imagine there would
be more publicly acceptable data that would strengthen their point inside
of it that they would choose to not reveal, or even suggest at.

So to mi2g... why don't you do something useful, and just go back to
selling automotive info or making e-commerce sites.  Stop misleading
the public with bogus reports created from flawed data.  It's this kind
of bullshit that gives the industry a bad name, and makes people question
those who actually do something useful.

An Anonymous Info-Sec Geek and Longtime Hobbyist
Note: This signature can be verified at
Version: Hush 2.3


main page ATTRITION feedback