OSNews:

OSNews: http://www.osnews.com/story/20965/IBM_AIX_Most_Secure_Mac_OS_X_Least_Secure_ Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Sun, 06 Dec 2009 03:24:18 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Also http://osnews.com/thread?348472 http://osnews.com/thread?348472 Also, let's not forget that MacOS is much more complex with many vulnerability magnets such as QuickTime and Safari included in its distribution. That is obviously not the case with AIX, but whatever. It's strange marketing. Thu, 12 Feb 2009 15:33:00 GMT donotreply@osnews.com (Buck) Comments Missing some other bits... http://osnews.com/thread?348473 http://osnews.com/thread?348473 Like the fact that by default, telnet is open on an AIX installation and ssh needs to be installed separately.

At the end of the day, I would not consider a system that automatically leaves a bunch of ports open secure and although AIX is a great UNIX, it is not designed to sit out in the open. In fact, unless your admin knows the system back to front, you really want it sitting behind at least one firewall.

If I was really pushed, there are only a few systems I would literally have open to the net and those are all open source. Linux and the BSDs off the top of my head. Thu, 12 Feb 2009 15:34:00 GMT donotreply@osnews.com (SReilly) Comments So... http://osnews.com/thread?348474 http://osnews.com/thread?348474 IBM says their own operating system is the most secure. Shocking, really. I would've never seen that happening. Thu, 12 Feb 2009 15:35:00 GMT donotreply@osnews.com (darknexus) Comments Tank vs Porsche http://osnews.com/thread?348476 http://osnews.com/thread?348476 Silly comparison, really. AIX is a tank, compared to OS X as a Porsche. You wouldn't purchase a Porsche to do the work of a Tank. Thu, 12 Feb 2009 15:40:00 GMT donotreply@osnews.com (rockwell) Comments RE: Tank vs Porsche http://osnews.com/thread?348478 http://osnews.com/thread?348478 Before go disparaging various operating systems, lets make sure we are comparing apples to apples. In the case of AIX and OSX, it is comparing apples to oranges. AIX is an enterprise level OS and OSX is a desktop level OS. They have very different goals. I am not saying that either one of them is better than the other - they are just designed for different purposes. However, when comparing which one is more secure, that becomes a huge can of worms. First of all, using a metric like "disclosed vulnerabilities" is a silly measure. It heavily favors small market share operating systems. Attacks on computers is a function of market share. Malware writers and people who attack systems are in it for the money these days, not necessarily the glory. They are not going to waste their time on small market share OS.

In addition, the vendor is disinclined to fix problems that they know about with this kind of metric.

However, with no other information I am inclined to agree with SReilly in the fact that an OS that installs Telnet by default instead of SSH isn't painting a picture of confidence. Thu, 12 Feb 2009 15:56:00 GMT donotreply@osnews.com (ncc4100) Comments RE: Tank vs Porsche http://osnews.com/thread?348479 http://osnews.com/thread?348479 you would if it was a WW1 tank.... Thu, 12 Feb 2009 15:57:00 GMT donotreply@osnews.com (Nossie) Comments RE[2]: Tank vs Porsche http://osnews.com/thread?348481 http://osnews.com/thread?348481 Lol! Very good! I forgot all about that :-) Thu, 12 Feb 2009 16:10:00 GMT donotreply@osnews.com (SReilly) Comments RE[2]: Tank vs Porsche http://osnews.com/thread?348485 http://osnews.com/thread?348485 "AIX is an enterprise level OS and OSX is a desktop level OS."

RTFPDF. They are clerly naming Mac OS X Server. Thu, 12 Feb 2009 16:15:00 GMT donotreply@osnews.com (dvzt) Comments RE[3]: Tank vs Porsche http://osnews.com/thread?348488 http://osnews.com/thread?348488

"AIX is an enterprise level OS and OSX is a desktop level OS."

RTFPDF. They are clerly naming Mac OS X Server.

They name both OS X and OS X Server. Thu, 12 Feb 2009 16:20:00 GMT donotreply@osnews.com (polaris20) Comments maybe i'm misunderstanding the table http://osnews.com/thread?348525 http://osnews.com/thread?348525 but it looks to me like aix is the 10th most insecure os out there

oh, and lets not forget that openvms 8 only had 1 bug in 2008 Thu, 12 Feb 2009 18:30:00 GMT donotreply@osnews.com (smashIt) Comments This just in... http://osnews.com/thread?348527 http://osnews.com/thread?348527 ... unplugged windows workstation even more secure! Thu, 12 Feb 2009 18:35:00 GMT donotreply@osnews.com (helf) Comments How'd they know? http://osnews.com/thread?348529 http://osnews.com/thread?348529 The blinking lights on the front told them!

That said, OS X's security does have a lot of potential holes. You've got legacy holes from Carbon, everything from the FreeBSD/NetBSD parts that make up the BSD subsystem, then its own special ObjC/Mach vulnerabilities. Thu, 12 Feb 2009 18:41:00 GMT donotreply@osnews.com (hurdboy) Comments You know its crap http://osnews.com/thread?348530 http://osnews.com/thread?348530 when 4 of the 5 lines of caption text start with "operating system". Thu, 12 Feb 2009 18:53:00 GMT donotreply@osnews.com (charlieb) Comments Doubtful http://osnews.com/thread?348536 http://osnews.com/thread?348536 It reminds me of when IBM stated that Power6 CPU has a bandwidth of ~250GB/sec. And it turned that IBM had added all the bandwidth in the chip, L1 cache, L2 cache, etc. That is clearly wrong to do. If there is a bottle neck on 1GB/sec, then the bandwidth will not be greater than 1GB/sec, no matter what.

It reminds me of when IBM stated that a small IBM mainframe is able to consolidate 232 x86 servers. It turned out that IBM assumed the x86 servers idled at ~3% and the Mainframe was 100% utilized! This is also clearly wrong. I could state that my laptop can consolidate 10 IBM mainframes. If the mainframes are idling. This is wrong, dont you think? In fact, you can emulate a 20 MIPS Mainframe on a laptop using the free software "Hercules". It turns out that 1 IBM Mainframe MIPS == 4 MHz x86 i practice. A IBM mainframe CPU can be 1000MIPS. which corresponds to 4GHz x86 CPU.

It reminds me of when IBM stated that one Power6 core is faster than a SUN Niagara core, and therefore the Power6 cpu is faster than Niagara CPU. This is clearly wrong. If a core is faster than another core, it tells nothing about the entire CPU. In fact, 3 of the large IBM Power servers with 12 Power6 CPUs at 4.7 GHz scores half of the SIEBEL benchmarks, as one SUN T5440 machine with 4 Niagara CPUs at 1.4GHz. This is according to official benchmarks.

This is just some of the examples Ive encountered of IBM's aggressive marketing. And therefore I really doubt this report. Thu, 12 Feb 2009 19:29:00 GMT donotreply@osnews.com (Kebabbert) Comments WHAT CRAP. http://osnews.com/thread?348543 http://osnews.com/thread?348543 1) they counted REPORTED bugs.... guess who is open and reports lots of bugs. Linux and even Apple....guess who DOES NOT report anything keeps secret most of their work.. Microsoft.

Open Source projects ALWAYS have more 'reported' security fixes because they are more open about reporting....DUH.

2) I bet they counted Redhat separate from Suse, and separate from Ubuntu....so every Linux event gets counted 3 times+. Thu, 12 Feb 2009 20:11:00 GMT donotreply@osnews.com (Milo_Hoffman) Comments RE: maybe i'm misunderstanding the table http://osnews.com/thread?348548 http://osnews.com/thread?348548 wow, just 1?

I really liked OpenVMS when I used it for awhile. I don't get why so many people just can't stand it. Thu, 12 Feb 2009 20:52:00 GMT donotreply@osnews.com (helf) Comments *bsd? http://osnews.com/thread?348573 http://osnews.com/thread?348573 What happened to NetBSD or OpenBSD (I can't remember which) the one with the audited code and only 2 vulnerabilities ever recorded?

Where does that rank? Thu, 12 Feb 2009 22:31:00 GMT donotreply@osnews.com (netean) Comments RE: Missing some other bits... http://osnews.com/thread?348581 http://osnews.com/thread?348581 Agreed. Its hilarious to suggest AIX is the most 'secure OS'. PAM is a recent addition, RBAC could only be considered a joke and only works properly in AIX6, CSM requires remote root logins to work. Add to the mix that Tectia SSH is buggy crapware in its AIX incarnation and that OpenSSH seems to always be light years behind, I wouldn't leave an AIX box outside a firewall.

Oh and to finish... you only need to hack the ASMI or HMC running some fudged Linux based system to bring the box down and restart in maintenance mode. Thu, 12 Feb 2009 22:58:00 GMT donotreply@osnews.com (spanglywires) Comments snail http://osnews.com/thread?348582 http://osnews.com/thread?348582 my snail is more secure. it has has less reported vulnerabilities during the period 1995-2008. Thu, 12 Feb 2009 23:05:00 GMT donotreply@osnews.com (project_2501) Comments to make mac os x look bad http://osnews.com/thread?348598 http://osnews.com/thread?348598 count 10.0 to the latest version as one Fri, 13 Feb 2009 00:35:00 GMT donotreply@osnews.com (Mellin) Comments Silly metric http://osnews.com/thread?348602 http://osnews.com/thread?348602 How absurd to count the total number of vulnerabilities, when from a security perspective, the truly important number is that of unpatched vulnerabilities! According to Secunia, OS X (all flavors) had 3% unpatched ( http://secunia.com/advisories/product/96/?task=statistics ). To put that number in perspective, Windows XP (14% http://secunia.com/advisories/product/22/ ) and Vista (10% http://secunia.com/advisories/product/13223/ ) both are worse. Better was IBM AIX 6.x at 0% ( http://secunia.com/advisories/product/16995/ ) and HP OpenVMS v8.x (0% http://secunia.com/advisories/product/6052/ ).

BTW, if you add up all the versions of Windows listed in that top 10 chart, you get 24.7%...

I find it fascinating that the one chart pulled out of this report is that OS X has more vulns than any other OS, when the majority of the report discusses ActiveX, IE, IIS, and other MS-only attack vectors. Whoever is spreading this chart around appears to have ulterior motives for ignoring the other 105 pages of the document.

I wonder if IBM is just trying to hit back for the Papermaster fiasco? lol & jk... Fri, 13 Feb 2009 01:07:00 GMT donotreply@osnews.com (Alphaman) Comments RE: Tank vs Porsche http://osnews.com/thread?348604 http://osnews.com/thread?348604

Silly comparison, really. AIX is a tank, compared to OS X as a Porsche. You wouldn't purchase a Porsche to do the work of a Tank.

Why not? If your only purpose is to get from point A to point B, either will work. In fact, in a tank you'd just have to blow s*** up or run it over, possibly saving you time. In a Porsch you would need to know the location you're driving through, watch out for traffic and traffic lights, and just have to worry about a lot more stuff overall. That leaves only one major decision between the two: price difference. And they're both so expensive, you might as well buy the tank.

If it was my decision, I'd go for the tank, or just go straight for a Ferrari.Edited 2009-02-13 01:22 UTC Fri, 13 Feb 2009 01:18:00 GMT donotreply@osnews.com (UZ64) Comments where's the link? http://osnews.com/thread?348619 http://osnews.com/thread?348619 I fail to see how just the "number of DISCLOSED vulnerabilities" has any relation to how secure an OS is?

Say I'm developing my own OS but never disclose any vulnerabilities - does that make it the most secure OS out there?

Is it therefore surprising that an Open Source OS has the most disclosed vulnerabilities? I'd be more interested in knowing how many of these are still outstanding as we speak. And how serious are these vulnerabilities? Do they affect software that is installed by default? Is it something anyone can hack into or does it require a professional "hacker"?

Linux typically has hundreds if not thousands of packages installed by default, increasing the potential for vulnerabilities in the software...most of which a good firewall (also installed by default in most linux distros, but sadly not all) will block.

But in Windows or Mac OS's, how do you determine the vulnerabilities from all of the installed software? (I'm talking about after you've installed countless free apps you've downloaded, game demos, games, flash, java etc).

No apples-apples comparison exists for OS security and it would be a difficult thing to do.

I think a more fair comparison is to count the number of times each OS has actually been compromised and note the severity of each case. It still wont tell you which is more secure but it will let you know how likely you are to have security issues if you run that OS. Fri, 13 Feb 2009 03:54:00 GMT donotreply@osnews.com (pixel8r) Comments RE[2]: maybe i'm misunderstanding the table http://osnews.com/thread?348637 http://osnews.com/thread?348637

.. I really liked OpenVMS when I used it for awhile.

ME TOO

I don't get why so many people just can't stand it.

better marketing for other OS in general and a kind of boycott by DEC Managers in Germany (certainly with agreement by Robert Palmer) who declined pushing SAP in porting their applic onto OpenVMS. (my view)
Ken Olsen would be upside down in his grave if he had knowledge of them all.
Ultrix disappeared from the market Tru64 as well and OpenVMS periods his being in hp as long as there are customers who will pay.
CIOs donât really take care about the workload and downtimes mostly required after applying patches to fix the monthly security vuls in *x. Fri, 13 Feb 2009 09:16:00 GMT donotreply@osnews.com (Tom0815) Comments The real point for us http://osnews.com/thread?348639 http://osnews.com/thread?348639 The real point for us should be how many severe vulnerabilities were discovered, how long it took for workarounds to become available, how long it took for proper patches to become available, and whether the nature of the problems says much about the quality of the code.

There aren't many vulnerabilities reported for Mac OS X, but those that are reported are bloody shocking - and there are a lot that have been banging around for years without being fixed. The nature of OS X's problems appear to be design and architecture, not implementation - which makes "fixing" the problem much more difficult, and makes a lot of people worried about the design of the rest of the operating system.

By this measure, Mac OS X (even OS X Server) is probably less secure than Windows Enterprise. Fri, 13 Feb 2009 10:01:00 GMT donotreply@osnews.com (3rdalbum) Comments I wonder about IBM's other OSs.... http://osnews.com/thread?348672 http://osnews.com/thread?348672 I'd be curious to know where IBM's other operating systems ranked, especially their AS/400 OS and z/OS. Any guesses? Fri, 13 Feb 2009 13:10:00 GMT donotreply@osnews.com (swamp boy) Comments RE[3]: maybe i'm misunderstanding the table http://osnews.com/thread?348675 http://osnews.com/thread?348675

".. I really liked OpenVMS when I used it for awhile.

ME TOO "

I still use it and love it!

Ken Olsen would be upside down in his grave if he had knowledge of them all.

Uh, KO's still alive... 8) Fri, 13 Feb 2009 13:24:00 GMT donotreply@osnews.com (Alphaman) Comments RE[2]: Tank vs Porsche http://osnews.com/thread?348718 http://osnews.com/thread?348718 AIX costs the same as OS X? Really? Fri, 13 Feb 2009 17:05:00 GMT donotreply@osnews.com (rockwell) Comments Not surprising... http://osnews.com/thread?349084 http://osnews.com/thread?349084 The OS IBM sells for the most money comes out top...
An OS they don't support at all comes out last... Sun, 15 Feb 2009 10:51:00 GMT donotreply@osnews.com (bert64) Comments RE: WHAT CRAP. http://osnews.com/thread?349085 http://osnews.com/thread?349085

1) they counted REPORTED bugs.... guess who is open and reports lots of bugs. Linux and even Apple....guess who DOES NOT report anything keeps secret most of their work.. Microsoft.

Open Source projects ALWAYS have more 'reported' security fixes because they are more open about reporting....DUH.

So true... proprietary software vendors in general, not just MS, will not report any bugs they find internally.. Bugs being reported publicly are bad for business. Only bugs discovered by third parties will ever go public, because those are unavoidable, and they will still try to spin the publicity as best they can...

Open source on the other hand, is developed in public... So even very early alpha and beta versions, which are usually full of bugs, will have those bugs discussed in public. Sun, 15 Feb 2009 11:34:00 GMT donotreply@osnews.com (bert64) Comments