The controversy surrounding a negative Linux security report lingered this week after the author issued an open
letter to the media and an Australian firm weighed in with fresh criticism.
Linux supporters claimed they were justified in attacking the report from Mi2g Ltd., a London-based security and risk management firm, when it claimed Linux was the "most breached" operating system. The authors of the report claimed their research was sound.
The original report cited information gathered from a 12-month period ending in October. It stated that 65% of security breaches for online computers happened on Linux machines, while 25% of breaches occurred on machines running Microsoft applications.
The report made headlines following a story by Linux Pipeline, of the TechWeb Business Technology Network. The article quoted analysts who challenged the report for allegedly negating information on viruses and for publishing content they believed was meant to make headlines.
Linux users also attacked the report, claiming it was a vaguely worded attempt to rile up the Linux base.
In the eye of the beholder
Charles King, principal analyst of Hayward, Calif.-based Pund-IT Research, explained that both sides in this dispute probably have an equal stake in making sure their opinion is the right one.
By releasing the study, Mi2g has its reputation as an analytical firm on the line and if its case is correct, then the recent publicity is sure to boost business.
However, King said the Linux users who cried foul are justified in their passionate reply because the report offers scant information regarding the methodology, the IT environments surveyed or the size of the sample used.
"Without knowing more about how the study was conducted, it's hard to know where any possible anomalies lie," King said. "The Mi2g folks would respond that there weren't any anomalies, but it may be worth mentioning that they also tried to draw a goofy parallel between Apple's supposed security prowess and the increase the company's stock price has seen over the past year -- haven't these guys ever heard of an iPod?"
Con Zymaris, CEO of Cybersource Pty. Ltd., an open source applications and security vendor based in Australia, called the report "truly remarkable … remarkable for the complete lack of references to sources and remarkable for a methodology which is lamentably broken."
"We don't mind when firms like Mi2g come forward with valid criticisms of Linux; there are indeed areas where Linux can be rightly criticized," he said.
Zymaris said the percentage conclusion regarding breached online computers matched the relative ratio of the Apache Web server and Microsoft's IIS, respectively.
"When this is taken into consideration, all that Mi2g is doing is confirming that 65% of manual breaches hit Linux, because it constitutes 65% of the Internet-visible server market."
Linux consultant and user David Niemi, who lives in Reston, Va., considered it suspect that the Mi2g article did not state how they knew any of the systems tested had been breached.
"It does not sound like they control for the relative abundance of the system they studied, although it is true that OpenBSD is a very secure operating system – especially if you compare deafault configurations," Niemi said in an email.
Mi2g alleges suspicious behavior of its own
In an open letter to the press, Mi2g alleged it was never contacted for comments for the TechWeb article, which sourced experts said the report's conclusions were "suspicious."
"With respect, we are concerned that we have not been asked to make a comment at all in regard to the published article that discredits us and challenges our reputation," the letter stated.
The letter continued: "Those personalities also appear not to have read the Mi2g news alert or the underlying report for that matter and have made factually incorrect statements as a result."
Mi2g stated that it supports Linux and runs the company's Web site on Linux. The company's Security Intelligence Products and Systems Engine also runs on Linux, Apache, MySQL and PHP (LAMP) architecture.
"We believe good administration is central to working with Linux. Those skills are lacking in the global market and is the root cause of Linux receiving a much higher number of manual hacker breaches," the company said.
DK Matai, the executive chairman of Mi2g, accused vendors of "boiling down safety to perception," as part of a huge marketing effort and benchmark comparisons that "deliver perfect security as if it is a sunny day on the Internet every day of the year."
The passion of Linux
King attributed the impassionate response of the Linux community to the fact that the next year will be a critical time for the operating system. The OS is improving and growing at a steady pace in government, business, independent software vendors and user spaces, he said, and, more importantly, it is maturing to a level where it could complicate Microsoft's Longhorn launch.
"Linux won't kill Longhorn, but viable Linux alternatives could lead significant numbers of businesses to "just say no" to Redmond's eternal upgrade path," he said.