According to Statistics

I just love statistics - especially when they support a point I want to

make. You can use them to prove anything. Hey, numbers don't lie! But

they don't always give the whole picture either.

Quite a few news stories recently revolved around Attrition.org's Web

defacement statistics. Almost 60 percent of the defaced Web servers are

running on the Microsoft Windows/NT platform; an interesting statistic

clearly demonstrating a problem with Windows/NT servers.

http://www.attrition.org/mirror/attrition/os-graphs.html#Cumulative

However, statistics merely measure and categorize data. Using

statistics alone as a research tool is like trying to build a house

with just a screwdriver. Yeah, you need it, but you need some other

tools as well.

An article on SecurityWatch managed to draw a bunch of erroneous

conclusions.

http://www.securitywatch.com/newsforward/default.asp?AID=5351

SecurityWatch states that Attrition endorsed MacOSX and Power BSD as

the "safest" platforms. Funny, I didn't see that statement from

Attrition. They also stated that more servers on the Internet are

running on NT platforms than all other Operating Systems combined.

Obviously they didn't check Netcraft, which lists the market share as

closer to 20 percent (http://www.netcraft.com/survey/).

One of the more absurd conclusions posted to the "ihateapple.com" site

(no bias here) (http://www.ihateapple.com/). In the posting "Web

Defacement Figures", "Russ" states, "Attrition.org has lists of

supposed website defacements and hacks for last year." He then jumps

to the conclusion that Windows 2000 must be the most secure OS, since

it only accounts for 9.96 percent of the defacements. Uh, Russ? W2K has

only been around for about a year. Incidentally, the "ihateapple.com"

site was defaced on 12/31/00:

http://www.attrition.org/mirror/attrition/2000-12.html

(Note: The defaced page starts a bunch of annoying JavaScripts. The

link to Attrition's index is provided as proof that the site was

defaced - I don't recommend clicking on the defacement.)

I asked Attrition's statistics specialist, Matt Dickerson (aka "Munge")

what he thought of all the attention the Attrition defacement

statistics generated. Matt commented:

"It's interesting what people choose to take away from our stat pages.

I am beginning to think that it's more a Rorschach test than anything

else. For the past year, we've updated os.html daily and os-graphs.html

monthly. It's never got this sort of reaction before."

Attrition staff go through a lot of effort to explain how they compile

the data used in their statistics - fully expecting this to be weighted

into whatever research their readers are performing.

http://www.attrition.org/mirror/attrition/webserver-graphs.html#NOTES

It's easier to look at the pretty pie chart than do real research. So,

what *do* the statistics indicate? Obviously, there is *some* sort of

problem with Windows/NT servers. Is it the Operating System? As a Unix

bigot, I'd love to say so. The fact is, *any* OS is vulnerable to

attack - including Unix derivatives. The popularity of Microsoft

systems lies primarily in its ease of use and alleged ease of

administration. You don't have to have any in-depth computer science

background to administer a Windows server unless, of course, you want

security. Microsoft systems *can* be configured to be secure;

unfortunately, this requires administrator learn something about

securing them. To foster the "ease of use" reputation, the default

settings of Microsoft systems are far from secure. As we all know,

security is damned inconvenient.

Laying the responsibility for security on the Operating System rather

than the administrator would be comforting, but sorry kids, it's not

that easy. Much as I would love to believe that avoiding NT would

ensure a secure Web server, I know better. The most secure OS platform

to use is the one you know how to secure.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies