From: auto397706@hushmail.com To: full-disclosure@lists.netsys.com Cc: bugtraq@securityfocus.com Date: Fri, 20 Feb 2004 16:45:00 -0800 Subject: Yet Another Instance of mi2g's Incompetence... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nothing says 'infuriating' better than a publicly published report that is seemingly rife with inaccuracies and conclusions drawn from poor data. As attrition.org so kindly points out with historical evidence, mi2g has a long history of lying and flagrant ineptitude with respect to the general public: http://www.attrition.org/errata/charlatan/mi2g-history.html In a report boldly titled "The World's safest [sic] Operating System, " mi2g claims that of all attacks to a particular segment (and they seemingly extrapolate this to mean the rest of the computing world at large), Linux was the target of 80% of the overall attacks, Windows 12%, and BSD/OSX a combined 3%. From their website, and I quote, "The study also reveals that Linux has become the most breached online server OS in the government and non-government spheres for the first time, while the number of successful hacker attacks against Microsoft Windows based servers have [sic, again.. hire a grammar checker before you publish reports, people... the article here refers back to "the number," which is singular, and not "servers.." this should be 'has' and not 'have'] fallen consistently for the last ten months." Excuse me?! This is some of the most flawed logic I have seen in AGES. Read more of what I'm about to comment on here, first: http://maccentral.macworld.com/news/2004/02/20/osxserver/ and http://www.mi2g.com/cgi/mi2g/press/190204_2.php First of all, I question their data mining abilities -- attrition.org should give you more than enough reason to feel this way as well. Also consider that these numbers, as always, only reflect the number of attacks discovered and reported. How many Windows boxes out there have been compromised and are run by clueless admins who don't ever discover they've been broken into? Admittedly, there are also lots of Linux boxes, no doubt, that are broken into and never discovered. However due to the ubiquity of Windows, I would venture to guess that there are a lot more Windows boxes in this state. I would *highly* suspect their number of 2,005 Windows attacks versus 13,654 for Linux. Highly. How about a source for this, mi2g? Not factored into the public details are the machine counts. How many deployments of each OS exist and are considered in the study? DK Matai, the man who can't make up his mind what he's doing with his life, let alone actually FINISH something, claims that "Windows administrators deserve some credit for having consistently reduced the proportion of successful online hacker attacks," but I would argue that as well, as that only hinges on the initial flawed conclusion. Let's consider the biggest, most glaring flaw in here. "mi2g noted that the numbers exclude attacks caused by viruses, worms and Trojan Horses." Excuse me? I find this type of omission absolutely egregious. How can you completely discount a group of problems that comprise, by far, the most impactful of all security issues facing Windows admins today? Or did Mr. Matai and mi2g just not feel like finishing that part of the report? The number would be astronomical, comparatively, no doubt. And how does one appropriately separate attacks by malware from attacks by individuals employing similar techniques? We've all seen worms circulate that were initially vulnerabilities turned script kiddie exploits - does the average Windows admin know how to tell the difference if their AV scanner doesn't pick it up initially? Excluding these numbers here is not only a flaw, but it is indicative of mi2g's baseless view on security -- in effect, they're saying these things are just not serious enough to be included. This is QUITE a dangerous conclusion to make, because it leads to grossly inaccurate results -- like this "report." Look at the recently discovered Kaitex.E Trojan. It connects back to a computer and allows the originator to execute arbitrary commands. And that wouldn't be included? That's far worse to me than somebody getting 'nobody' access on a chrooted apache server, which if properly setup can't even modify a single file. Or even worse, the recently discovered MyDoom.F, which not only includes a remote access vector similar to Kaitex.E, but also deletes all local files with extensions like .xls, .doc, .mdb, amongst others. It also propogates across shared network drives. ( http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101038 ) "So what? It's low profile," you say? So it hits only a few hundred or few thousand hosts? Well that's a few thousand machines that have now lost potentially business critical data. Ask their managers which they'd rather have happen. Now before anybody says a word about the hushmail source of this, I am openly admitting that I am doing this solely because I work at a different security company -- a real one, unlike mi2g -- and I do not want my employer to be associated with derogatory statements against another. Because this is a personal concern of mine, completely unrelated to business. And I will admit to not having seen the actual full report, as I'm not willing to pay over $40 for this drivel. I can't imagine there would be more publicly acceptable data that would strengthen their point inside of it that they would choose to not reveal, or even suggest at. So to mi2g... why don't you do something useful, and just go back to selling automotive info or making e-commerce sites. Stop misleading the public with bogus reports created from flawed data. It's this kind of bullshit that gives the industry a bad name, and makes people question those who actually do something useful. Signed, An Anonymous Info-Sec Geek and Longtime Hobbyist -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkA2qRgACgkQpTen0WI2ooXyZQCffE9jqtldHvX98rnfvLASsR7VCmQA nAxkOeIKchj+XmNjRAEFPHysfVqx =+Atd -----END PGP SIGNATURE-----