[cenutrio]

Hi guys,

I really need your good advice.

Ok, I've been working in a lab for more than 6 years now and I'm quite ready to go. However we're having a big debate around here about security. It seems we are going to set up a server database for other labs to download DNA sequences performed by us. We work with a selected agent, so security is a must. This is a Mac lab, this is a reason for my switch in 98, and most computers are running panther now.

The idea is as I said to set up a server database. A good friend of mine, we're the two nerds around, likes PCs and he is willing to set up a linux box for the job. However, I do believe that using any of the current Macs would do the job just fine (traffic will be very limited since the database is only for other collaboration groups and it is not that large anyway) and would be as secure as it can gets. He disagrees.

Pretty much he'll be in charge when I left so of course his opinions are highly regarded. The problem is that he would be the only guy around knowledgeable enough to set up a Linux server while i think that OS X environment would be much more friendly, so other people can be trained.

Additionally, he claims that OS X is far less secure than Linux (I still do not know which flavor is he willing to use) and he points to some not very detailed reports I attach bellow. Of course, I counterattack with news like last's week Tech central.

This is the main reasons of his fear to OS X security The scientist

The funny thing is that we work at the University of Wisconsin whose division of technology claims that "opener" is not virus, not a trojan or worm UW tech division

I know that my lab is very Mac friend. I do not know if Linux would be the answer since it is tricky and very obscure. Even more knowing that we already have very capable hardware and software to do the job without stretching our budget ( I even use an old iMac as my personal server, works flawlessly, never a single crash in more than 2 years).

Any thoughts or information defending my position?

[milhous]

if your colleague is really that knowledgable of linux, then he should also know that linux has its fair share of vulnerabilities (even moreso than os x) which he's obviously not telling you so that he can bolster his argument.

and at least with os x, i agree with you that it would be easier to use and plus if there are any software updates that are critical to the security of the system, you'll get it all through software update with 1-click updating and restart with no need to mess with the command line.

[larkost]

When you say that this information is going to be put into a database on either Mac or linux, then I am going to assume that we are talking about either MySQL or PostreSQL or some sort of semi-database PHP script (for articles probably a better idea). In that case there is going to be no real difference between the two platforms for applications security... and you would be splitting hairs to compare the security of the platform out of the box.

Now MacOS X would have a slight slight edge (and I mean slight) over most linux distributions because it has a system that automatically notifies the user about security updates on a regular basis.

In practice 90% of the security issues in this sort of thing are because of application problems. If you have someone designing the system without a good understanding of security issues then the possible issues because you chose MacOS X or linux over the other are going to be negligible.

On the subject of "Opener" it is not a virus, or a worm. It is a rootkit, a tool to be used after you have gained root access to a computer. It could be use as the payload for virus or a worm (or more likely a trojan), but it in no way contributes to the hard part of creating a virus (getting access). All the press this is getting is from people who don't understand the issues, or have an axe to grind.

Oh... and just for disclosure, I used to work in the same office with DAS at DoIT there at the UW.

[jamil5454]

If you want secure, go FreeBSD. It's much like Linux, except FreeBSD hasn't had an out-of-the-box security vulnerability for something like 4 years. I think OS X would take up too much RAM to be a good server. Linux will probably run better on older hardware, and is definately more customizable than OS X (unless you get into OS X's terminal).

[Scientist]

Hi. I run a Debian Linux server and it works great. I prefer it over OS X because it is easier to add new services and the hardware was cheaper. I have also used OS X in the same capacity and it worked just fine. We just needed the hardware for other work. The problem with Debian is that it is tricky to learn. If your friend was to disappear, it would be pretty hard to find someone to replace him. If the database app is included with OS X (and has a GUI) or if you have an extra Mac box lying around you should probably go with that. Of course you could always install Debian on the Mac box too. As far as security goes you'd probably be a bit better off with OS X unless you are using a third party database app in which case debian would be much easier to update (although probably quite a bit more hacker prone). Who's lab do you work in? I work at UW too.

[cenutrio]

Hi This is Johnson's lab at the Dept. Food Microbiology & Toxicology.
I think the sequencing facilities at the Biotechnology Dept. used to handle their database in an OS 9 server, they were taking much more traffic that we would ever get by far. I wonder what are they using know (I may call them) since it is pretty much what we need. A configurable database installed on a server from which, via a browser, authorized users can download stuff.

The way i say it is as follows. Very easy set up and manageable database in an easy to work hardware. I do not think that the database will ever get bigger than 100 GB and it is not going to take many hits.

Any PM G4 would do it, even iMacs with an upgraded HD. Easy.

Besides even when i consider myself and my friend quite knowledgeable we do not run linux servers in a daily basics, it can be trickier than it looks and using OSX apache or wherever is so much easier. That way people could be trained. There's no necessity of making things more difficult that they really are.

Security would be excellent.

What I really think is that my buddy, a windows fan, is so concerned about security (all day long running antivirus, updating the system, firewalls) it can sometimes get funny...However, he likes the x86 platform so he wants to give it Linux a try. but he's not a terminal guy on a regular basic. besides he just do no like Macs. However, the boss does and since he has invested so much money on the hardware and training of his people. Besides the stuff is more than suitable for the job...

I'm leaving but I think they're going to get in big s**t if the jump on the wiindows or Linux stuff.

Just my two cents..

[Arkham_c]

From a functionality standpoint, either Linux or OS X will work fine. Intel hardware is cheaper, but if you can get the Mac hardware go with that.

As to security, your friend is talking out of his arse. The script that the "worm" describes could be easily replicated on a Linux box. It's not a vulnerability in any sense, since it has to be manually executed and uses no security exploits at all.

Linux is as vulnerable or more vulnerable than OSX.

Point your friend to this:

http://www.mi2g.com/cgi/mi2g/press/021104.php

A 12-month study finds OSX is the most secure OS.

Here's an interesting quote:

The study also reveals that Linux has become the most breached 24/7 online computing environment in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded, with 154,846 successfully compromised Linux 24/7 online computers of all flavours.

[utidjian]

It all depends...

Which version of Linux is your co-worker advocating?
Which version Mac OS X are you advocating (desktop or server)?

Contrary to what some have claimed here all popular distros of Linux include by default some sort of automatic update notification for ALL the software they provide. This includes one button GUI type updates or one command CLI type updates. This has been commonly available for years... at least as long as Mac OS X has been around.

In this case most choices of Linux distro have a significant advantage over regular Mac OS X because Apple does not provide updates to MySQL. PostgreSQL or Apache. If you are running Mac OS X Server Apple does provide updates for MySQL and Apache. All Major Linux distros include MySQL, PostgreSQL, and Apache and provide updates as required.

As far as network security goes there is no measureable difference between the two. With all services "off" in Linux and Mac OS X they are equivalent.
By default regular Mac OS X installs with all services "off" and the root account is disabled.
By default Mac OS X Server installs with services sshd and ARD running and the root account is enabled.
By default the major Linux distros install with sshd running and the root account enabled.
You will be turning on Apache (httpd) and MySQL so that will be running on either OS.
So for network services, accounts, and internal services both Linux and Mac OS X Server are essentially equivalent either by default or after you have turned on the services you need.

As far as "ease of use/configuration" is concerned... from what you have said the person responsible for maintaining the system is most comfortable with Linux. Then the choice is simple... use Linux.
If the person responsible for maintaining the system were most comfortable with Mac OS X then the choice would be equally as simple... use Mac OS X.
When it gets down to configuring Apache and MySQL there is no real difference between Linux and Mac OS X. Both systems have a rich set of both CLI and GUI tools for configuration and maintenance.
If you are concerned about sharing the responsibility of server configuration and maintenance there is a very good tool that will work well for either OS for this service. Take a look at Webmin (http://www.webmin.com). Some Linux distros include Webmin or it can be installed. It is also easy to install and setup on Mac OS X.

Depending on how much hardware you have to throw at this project you might want to consider using a good midrange x86 or athlon based system with a LOT of RAM. You could also use an Apple Xserve or G5 tower. You may not get much "traffic" to this server but when even a few clients are hitting a 100GB database with DNA sequence queries CPU, RAM, and disk speed will be important.
You may also want to consider using not one but two servers. One very minimal server that is connected to the internet running Apache and the second database server NOT connected to the internet running your database. This would help from both a security and performance standpoint. You should also make a good plan for backups AND test it.

As far as ease of someone else picking up where the maintainer has left off. It is just as easy to make a messy setup with Mac OS X as with Linux. It should be a requirement of the project that the system be kept simple and well documented.

All other factors being essentially equal... it comes down to who is going to be responsible for the system AND what they are most comfortable with.

[edit]
After reading your later post it seems that your "buddy" may not know that much about Linux OR Mac OS X. In this case, if I were your boss, I would seriously reconsider my choice of maintainer. If the alternate choice of maintainer is equivalent and there is enough time and resources have both of them set up the system of their choice and see which one works the best, which is easiest to maintain, and how well the configuration is done.
We did much the same thing where I work a few years ago and Linux won out as the server solution. In another department Mac OS X server won out. It really depended on the orientation and expertise of the people that were available. In both departments the results have been, more or less, equally satisfactory.

[Gee4orce]

I don't see how you can criticise Apple for now updating Postgres or MySQL ? - these are 3rd party software products. Mac installers are available on the internet for both of these, and Apache, but there's really no need because you can build them from the command line with the usual './configure;make; sudo make install;' sequence.

Your friend is talking out of his behind. What exactly is it that he thinks Linux can do that Mac OS X can't ? There are plenty of things that Mac OS X can do that Linux can't. Give your friend ssh access to a Mac and he can pretend he's using Linux. It's really going to be childs play for him to lean Mac OS X if he really does know Linux - but from the sound of it he's bluffing and doesn't know a great deal about Linux; in which case it's still going to be easier for him to lean Mac OS X than Linux.

The best option for your company would be an XServe. The second best option would be a copy of Mac OS X Server on any Mac. The third best option would be a standard (non-server) Mac OS X installation, with some compiled or downloaded database server software (a 10 minute job). The fourth best option would be a linux distro.

[Millennium]

Apple doesn't provide updates to MySQL for OSX because MySQL doesn't come with OSX. This is by no means Apple's fault. They do provide updates for all of the software which comes with it, when those updates are necessary for security reasons. They cannot, however, be held responsible for software they do not provide.

[thefamousmred]

Will there be more than one person in the office who knows anything about Linux? If not, don't use Linux - your lab shouldn't even be having this discussion. Get an OS X server box and be done with it.

[larkost]

Originally posted by utidjian:
It all depends...
Contrary to what some have claimed here all popular distros of Linux include by default some sort of automatic update notification for ALL the software they provide. This includes one button GUI type updates or one command CLI type updates. This has been commonly available for years... at least as long as Mac OS X has been around.

utidjian, I just went through a series of installs of 6 major linux distros, and only one of them had anything like an automatic update notification. They all provide systems to manually scan for updates, but MacOS X's system is the best I have seen for non-computer-admins, or for people who are just getting started in the whole admin process.

In this case most choices of Linux distro have a significant advantage over regular Mac OS X because Apple does not provide updates to MySQL. PostgreSQL or Apache. If you are running Mac OS X Server Apple does provide updates for MySQL and Apache. All Major Linux distros include MySQL, PostgreSQL, and Apache and provide updates as required.

If you are going to make that claim, then you are going to have to include fink on MacOS X. All of these systems are adaptations of the idea behind FreeBSD's port/packages system. You are also ignoring that none of these systems will update MySQL or PostreSQL for you, as doing so can break databases, so is only ever done with direct user intervention.

And what you are again ignoring is that the main security problems are not going to come from the OS or the database software, they are going to come from the application that is being created... that is also where 90% of the admin problems are going to come from.

[larkost]

Originally posted by jamil5454:
If you want secure, go FreeBSD. It's much like Linux, except FreeBSD hasn't had an out-of-the-box security vulnerability for something like 4 years. I think OS X would take up too much RAM to be a good server. Linux will probably run better on older hardware, and is definately more customizable than OS X (unless you get into OS X's terminal).

You are not thinking of FreeBSD... it is OpenBSD that is the security champ, but we are talking about adding Apache and MySQL or PostgreSQL to the mix, all of which have had security notices out. I am not trying to scare people, as most of these notices have been corner-case or non-exploitable (except on Windows... *sigh*).

And MacOS X makes a perfectly good server, but if you are really tight on resources, then we should be talking about a BSD, and completely forget about having a GUI, both X-11 and Quartz are big consumers of resources.

[cenutrio]

Again, I'm sure that the server will not get that much traffic (a couple dozen downloads/day). I think we already have hardware that can deal with that easily (we have 5 PMG5s, 2 PMG4, 3 iMacs, 1 eMac, +older hardware). My question would be if the OS X server would be really necesary or just OS X panther (for consumer) can handle security. I use Apache on my personal server and it is so easy. It would be super easy to instruct some people on the lab how to set it up, update the database, and so on.

[larkost]

For what I imagine the project will be like, the only difference between Server and Client versions of MacOS X is that Server already has MySQL, and therefore also get the security updates through Software Updates. Personally this would not mean a thing to me as I would go with MySQL 4.1 or above (sub-selects make life good), and MacOS X Server still has 4.0.x, and therefore I would not be using their copy.

[Arkham_c]

Originally posted by cenutrio:
My question would be if the OS X server would be really necesary or just OS X panther (for consumer) can handle security. I use Apache on my personal server and it is so easy. It would be super easy to instruct some people on the lab how to set it up, update the database, and so on.

There is no reason at all to get OSX Server for what you are looking to do. I run a web server, DNS server, email server, ftp server, and database server for 5 domains on a B&W G3 running Panther and it's reliable, fast, and secure.

[utidjian]

Originally posted by Millennium:
Apple doesn't provide updates to MySQL for OSX because MySQL doesn't come with OSX. This is by no means Apple's fault. They do provide updates for all of the software which comes with it, when those updates are necessary for security reasons. They cannot, however, be held responsible for software they do not provide.

Apple provides Apache in both client and server versions. MySQL is provided by Apple in the server version only. I don't know whether Apple provides security updates for Apache or MySQL as they become available.

There is plenty of software in Mac OS X client AND server that Apple does not make directly (bash, gcc, OpenSSL/SSH, X11, IE, Perl, to name very few) these are all bundled with the main OS install or optional on the Xcode/Developer Tools CD. If a vulnerability is exposed for say, Apache, why shouldn't Apple provide the update via SoftwareUpdate.app? They do for OpenSSL/SSH.
When was the last update for Apache on Mac OS X? On my regular (client) Mac OS X Panther machines it has never been updated since February 2004 so it has the original (Apple supplied) Apache version since I installed it.

Code:
[iwhiz:~] physicsa% /usr/sbin/httpd -v
Server version: Apache/1.3.29 (Darwin)
Server built:   Feb  4 2004 10:31:58

See: http://www.apacheweek.com/features/security-v1.3.29
For the vulnerabilities in that version. What does Mac OS X Server have for this? On one of our Xserves (I don't maintain this one) we have Apache httpd 1.3.27 ((Darwin) DAV/1.0.3).
See: http://www.apacheweek.com/features/security-v1.3.27

On one of my Fedora Core 2 systems:

Code:
[utidjian@pressure utidjian]$ /usr/sbin/httpd -v
Server version: Apache/2.0.51
Server built:   Sep 21 2004 16:27:17

See: http://www.apacheweek.com/features/security-v2.0.51
All of which have been patched in the currently running version or are features that I don't use. That update to Apache was just as easy to do in Fedora Core 2 as any update is to do in Mac OS X Panther. Sometimes even easier. Either system can be simply updated from the GUI or CLI. The GUI in Fedora Core 2 has an annunciator on the panel that pulses a red "!" when there are available updates... it monitors available updates periodically throughout the day. If I don't want to use the GUI I can set it so I am emailed when updates are available (or both). If it is a red "!" I can click on it, authenticate, and away I go... the rest is much like SoftwareUpdate.app. Speaking of which... I see there is a new update to Mac OS X to 10.3.6 (requires a reboot too which is understandable). I hope I don't have to update Quicktime because then I will have to run around and deal with all the registration popups for it. In any case... no update to Apache in this update.

My point is... the OP wants to run a web server and a database. These services are supplied by Apple or can be added on via Fink or direct downloads from the supplier and built from source. In either case Apple does not supply the updates to Apache in the client version of the OS. So the whole argument for "easy to use 'one-click' updates" does not apply for these services that are critical to the mission of this server. Most Linux distros DO provide this service and functionality FOR the webservers and databases that they provide... and for ALL the software that that distro provides.

[utidjian]

Originally posted by larkost:
utidjian, I just went through a series of installs of 6 major linux distros, and only one of them had anything like an automatic update notification. They all provide systems to manually scan for updates, but MacOS X's system is the best I have seen for non-computer-admins, or for people who are just getting started in the whole admin process.

I can't speak for "6 major linux distros" (there are that many "major" ones?). I do know that Red Hat, Fedora Core, Mandrake and SuSE have automatic update notification. The ones I am most familiar with is Red Hat and Fedora Core which, IMO, work just as well, if not better than SoftwareUpdate.app or softwareupdate in Mac OS X. Which is completely beside the point when Mac OS X won't even update the mission critical internet exposed services, no?

Again, whether Mac OS X's system is the best for newbie admins is beside the point when the system doesn't update the critical application or service.

If you are going to make that claim, then you are going to have to include fink on MacOS X. All of these systems are adaptations of the idea behind FreeBSD's port/packages system. You are also ignoring that none of these systems will update MySQL or PostreSQL for you, as doing so can break databases, so is only ever done with direct user intervention.

I know what Fink is... use it myself... but it is not part of SoftwareUpdate.app is it?

I am not ignoring updates to MySQL and PostgreSQL. They update just fine on my Linux servers. I haven't managed to break any of my databases yet over six years of use and keeping them updated. Perhaps your experience has been different.

And what you are again ignoring is that the main security problems are not going to come from the OS or the database software, they are going to come from the application that is being created... that is also where 90% of the admin problems are going to come from.

I am not ignoring the fact that, over time, there have been plenty of security issues with both Apache and MySQL. Apple seems to be ignoring it however.
Certainly the applications that are implemented on the server are also potential problems... but that is completely independent of the choice of platform. Basically an insecure application or an insecure service is ummm.... insecure regardless of platform, no?

The point is... it is impossible to keep Apache and MySQL updated using SoftwareUpdate.app on Mac OS X. If you go to the CLI or Fink or whatever... then the advantages of automatic notification and single interface updates are lost for Mac OS X. In Red Hat and Fedora Core Linux that advantage is not lost.

[Angus_D]

Originally posted by utidjian:
I am not ignoring the fact that, over time, there have been plenty of security issues with both Apache and MySQL. Apple seems to be ignoring it however.

Eh? Apple issues Security Updates that patch Apache and MySQL quite regularly.

[utidjian]

Originally posted by Angus_D:
Eh? Apple issues Security Updates that patch Apache and MySQL quite regularly.

They do? For the Mac OS X Panther (not Server)? If so why hasn't mine been updated via SoftwareUpdate.app?

If the patched Apache and MySQL are NOT available to regular Mac OS X Panther (not Server) via SoftwareUpdate.app my point still stands.

Much as people would like to believe that SoftwareUpdate.app is a significant advantage that Mac OS X Panther (not Server) over Linux (Fedora Core and Red Hat) in this case, for Apache and MySQL, it isn't.
SoftwareUpdate.app is a very nice, very effective and very convenient application for keeping a Mac OS X workstation updated. However SoftwareUpdate.app does NOT keep ALL Apple supplied software updated. When I say "Apple supplied" I mean ALL the software that comes on the Mac OS X Panther install CDs. For me this included three Mac OS X CDs and one Xcode/Developer Tools CD.
rhn-applet, up2date, and yum are very nice, very effective and very convenient applications for keeping a Linux workstation OR server updated with ALL the software supplied by the distribution on the original install media. These applications can even be configured for notifying and updating third part applications NOT supplied by the original distro in addition to all the software originally available from the distro. For Red Hat and Fedora Core, in particular,one can easily "roll back" updates and software installs should the admin find that it does not work as expected or breaks some functionality with their custom applications. Can you do that with SoftwareUpdate.app? Is there any utility in Mac OS X Panther that provides that functionality?

In the situation that the OP has described... IMO the deciding factor should be based on who is going to have to setup and maintain this system. What is their level of expertise and how easy will it be to update and train an alternate maintainer? From what the OP has said I would favor using Mac OS X since there seems to be more expertise and more people available that know how to deal with Mac OS X than there is for Linux. Yet... it is unclear that the Mac OS X people know anything about setting up and maintaining a server. The situation that the OP has so far described is far from clear on the important points.

[larkost]

Yes... Software Update will provide security (and sometimes version) updates for all security risks. Client includes updates for Apache (1.3.x) and Server for MySQL as well (4.x).

On the subject of roll backs... you do not want to get into that situation as those systems are very fragile.. and are usually not worth even trying. I say this from long experience. Trying to track down the dependancy that got rolled back mistakenly can be a real nightmare. Apple has chosen the better route: test the hell out of your patches and distribute them as clumps. I am not saying it has been perfect... but quite a bit better than dependancy hell.

I will agree that the situation is murky... and to be honest I don't think that mac or linux is going to be a big deal here... 99% of the maintenance and troubleshooting on this app is going to be in the application/solution layer... and that is probably going to be completely cross-platform...

[Boondoggle]

http://www.mi2g.com/


Deep study: The world's safest computing environment



news alert




London, UK - 2 November 2004, 02:30 GMT - The most comprehensive study ever undertaken by the mi2g Intelligence Unit over 12 months reveals that the world's safest and most secure 24/7 online computing environment - operating system plus applications - is proving to be the Open Source platform of BSD (Berkley Software Distribution) and the Mac OS X based on Darwin. This is good news for Apple Computers(AAPL) whose shares have outperformed the benchmark NASDAQ, S&P and Dow indices as well as Microsoft (MSFT) by over 100% in the last six months on the back of revived sales and profits. The last twelve months have witnessed the deadliest annual period in terms of malware - virus, worm and trojan - proliferation targeting Windows based machines in which over 200 countries and tens of millions of computers worldwide have been infected month-in month-out.

Sample size and breakdown

The latest mi2g Intelligence Unit study analyses 235,907 successful digital breaches against permanently connected - 24/7 online - computers across the globe. The nearly quarter million digital breaches carried out by hackers span twelve months from November 2003 to October 2004. Global proliferation data from over 459 malware species since the start of 2004 has also been analysed.

The sample of breached computing environments is holistic and possesses some anti-virus protection and basic security at the very least. It consists of micro entities - homes and small offices without a separate firewall unit; small entities - organisations with a turnover of below $7 million with a separate firewall unit; medium entities - organisations with a turnover between $7 million and $40 million with a separate firewall unit and basic intrusion detection; and large entities - organisations with a turnover in excess of $40 million with firewall layers, intrusion detection systems and dedicated computer security staff.

In 2004, 32.7% of all digital breaches were carried out against micro entities including home-based individuals with 24/7 online computers; 58.8% of all digital breaches were against small entities; 6.1% of all digital breaches were against medium size entities; and only 2.5% of all digital breaches were against large entities - businesses, government agencies and non-government organisations inclusive.

Most breached computing environment - Overall

The study also reveals that Linux has become the most breached 24/7 online computing environment in terms of manual hacker attacks overall and accounts for 65.64% of all breaches recorded, with 154,846 successfully compromised Linux 24/7 online computers of all flavours. The number of successful manual hacker attacks against Microsoft Windows based online computers has remained steady and accounts for 25.19% of all breaches recorded, with 59,419 successfully compromised Windows targets of all versions. In sharp contrast, the number of successful hacker attacks against Mac OS X or BSD based online computers has demonstrated a declining trend and accounts for just 4.82% of all breaches recorded, with 11,370 successfully compromised BSD targets of all flavours including Apple.

Most breached computing environment - Governments

In a remarkable switch in top rank within the Government computing environment over the last twelve months, the most breached Operating System for online systems has now become Windows (57.74%) followed by Linux (31.76%) and then BSD and Mac OS X together (1.74%). This is in stark contrast to the situation six months ago, when Microsoft Windows was significantly lower in terms of recorded government server breaches in comparison to Linux. The number of recorded breaches against government online computers running BSD or Mac OS X worldwide remains very low.

Malware proliferation

The recent global malware epidemics have primarily targeted the Windows computing environment and have not caused any significant economic damage to environments running Open Source including Linux, BSD and Mac OS X. When taking the economic damage from malware into account over the last twelve months, including the impact of MyDoom, NetSky, SoBig, Klez and Sasser, Windows has become the most breached computing environment in the world accounting for most of the productivity losses associated with malware - virus, worm and trojan - proliferation. This is directly the result of very insignificant quantities of highly damaging mass-spreading malware being written for other computing environments like Linux, BSD and Mac OS X.

Global economic damage estimate

In 2004, the overall economic damage from hacker perpetrated overt, covert and DDoS digital attacks worldwide is estimated to have been between $103bn and $126bn by the mi2g Intelligence Unit. These figures exclude malware attacks through viruses, worms and trojans which account for an additional estimated damage of between $166bn and $202bn worldwide.

Economic damage is calculated by the mi2g Intelligence Unit on the basis of helpdesk support costs, overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, cost of recovery and software upgrades. When available, Intellectual Property Rights (IPR) violations as well as customer and supplier liability costs have also been included in the estimates.

Conclusion

"More and more smart individuals, government agencies and corporations are shifting towards Apple and BSD environments in 2004," according to DK Matai, Executive Chairman, mi2g. "For how long can the truth remain hidden that the great emperors of the software industry are wearing no clothes fit for the fluid environment in which computing takes place, where new threats manifest every hour of every day. There is an accelerating paradigm shift visible in 2004 and busy professionals have spotted the benefits of Apple and BSD because they don't have the time to cope with umpteen flavours of Linux or to wait for Microsoft's Longhorn when Windows XP has proved to be a stumbling block in some well chronicled instances."

Important note

For the record, neither mi2g Ltd nor the mi2g Intelligence Unit have a business relationship with Apple Computers and we do not own any shares in that corporation. Previously, the mi2g data for one month was considered to be too small a sample and not representative of the global environment within which different types of entities - micro, small, medium and large - exist. We have addressed those concerns in the new study. The critics were against the previous study which also came out in favour of Apple and BSD, because the entrenched supporters of Linux and Windows felt that mi2g was guilty of 'computing blasphemy'. In subsequent months, mi2g's reputation was damaged on search engines and bulletin boards. We would urge caution when reading negative commentary against mi2g, which may have been clandestinely funded, aided or abetted by a vendor or a special interest group.

[ENDS]


mi2g is at the leading edge of building secure on-line banking, broking and trading architectures. The principal applications of our technology are:

1. D2-Banking;
2. Digital Risk Management; and
3. Bespoke Security Architecture.

mi2g pioneers enterprise-wide security practices and technology to save time and cut cost. We enhance comparative advantage within financial services and government agencies. Our real time intelligence is deployed worldwide for contingency capability, executive decision making and strategic threat assessment.

mi2g Research Methodology: The Frequently Asked Questions (FAQ) List is available from here in pdf. Please note terms and conditions of use listed on www.mi2g.net



Full details of the October 2004 report are available as of 1st November 2004 and can be ordered from here. (To view contents sample please click here).

[larkost]

Boondoggle: this is web... you can simply link to an article... you don't have to cut-and-paste... and I am sure that we were all aware of the article.

[jamil5454]

If you want secure, go Debian or OS X on PPC hardware. Most Linux security breaches are based on buffer overflows which are based on x86 assembly. This will at least block script kiddies from downloading well-known exploits and running them against you. If you have enough RAM and don't want to learn "under the hood" stuff then get OS X. I agree that Quartz uses a lot of RAM but I disagree that X11 does. KDE and GNOME use the RAM, not specifically X11. If you use a simple window manager like blackbox then it shouldn't eat up your resources. I'm running linux web/file server - slackware 9.1 on an AMD k-6 233 with 32mb RAM using blackbox and it's running pretty decently.

[foamy]

Go with OSX.

You're leaving now and he'll be leaving in the future. Knowing a lot of biologists, I am one, I think it will be much easier for the *next* person to admin the server if it is OSX. There are a lot more Mac-heads in the realm of Biology than there are Linux guys; not the case in other disciplines like structural biology, but in micro, you're a lot more likely to find a person that can step in and learn to admin the box, if it is OSX.

[Gavin]

Ultimately you are making a business decision here so let's look at it from a management point of view.

1. Money

You already own the mac hardware. There is no x86 hardware that is cheaper than free.

2. Your linux guy is a single point of failure.

This is a huge problem! This alone is the deal breaker.

When he leaves or is hit by a bus you will be stuck with a server that no one knows how to maintain. With a mac in a mac lab anyone there can likely fix the problems. You can also move the service to any other mac in the room if there is a physical problem.

3. Organizational expertise.

Security is only as tight as your knowledge. You are here reading this board and probably get up to date info on mac security issues, even if only through cultural osmosis. Others in your lab likely do the same. Unless your win/x86 guy really gets into linux and reads slashdot, etc. he will not be as current on the linux issues as you are with the mac, and can never be as current as the whole group. If you go with linux you have one brain, if you go mac then everyone in the lab adds something.
Your DNA lab has organic knowledge.

4. Man hours and learning curve.

A linux guy can learn the BSD parts of OSX much easier than a mac guy can learn the admin tasks required on a linux system. In fact your friend will get more out of it because it will broaden his unix knowledge.

[Boondoggle]

Originally posted by larkost:
Boondoggle: this is web... you can simply link to an article... you don't have to cut-and-paste... and I am sure that we were all aware of the article.

I'm pretty sure we're all aware that people aren't always aware of all the available information, and that they don't always click on links.

Computers are good at storing information. For example my relevant post, as well as your off-topic one and this equally off-topic reply will be part of the public record for years at virtually no overhead.

That is how the internet works. Thanks for the help.

[Angus_D]

Originally posted by utidjian:
They do? For the Mac OS X Panther (not Server)? If so why hasn't mine been updated via SoftwareUpdate.app?

http://docs.info.apple.com/article.html?artnum=61798

[Dr.Michael]

I won't hesitate to use OS X not because of security reasons or software but because of general arguments:

- learning curve for new admins is flat
- integration into the lab system will be perfect
- training has been invested into Mac OS. To do the same for linux is pointless and MUCH more expensive than the few $ to invest into more expensive Apple hardware.
- and yes:

Originally posted by Gavin:
2. Your linux guy is a single point of failure.

This is a huge problem! This alone is the deal breaker.

-> find out a good way to make him understand this :o)

I am working with linux, Windows and Mac OS in parallel. The most complicated thing to setup is linux. No question. If it runs, it runs forever, but until it runs it will cost you weeks if you don't exactly know how to... (and thus have invested these weeks before).

The second important thing is that integration of linux into a mac network works but you avoid any problems if you integrate macs into a mac environment. No one knows what will happen. Try to connect an external hd to transport data between linux and mac (in case of network trouble). The only solution is format the drive with fat which can only be setup/repaired by a windows system.
Try to find out how to mount an external fat drive to a linux box and see how long it takes you until it works.

Try to find out how to make a bootable backup of the linux system that can be replayed in case of a hardware crash. I am working in a large scientific facility (250+ scientists, linux and vms based). We have a backup solution for our data (trivial), but not for our systems. Reinstall and reconfigure is the advice of our admins.
You might invest into a raid controller for the linux box. But then please revisit the price question.

Use Carbon Copy Cloner on a mac and its done. So your database will be faster back on the net in case of a crash if you use mac os.

-> this shows you, if something has to be done fast linux is not a choice unless you are a real linux AND mac crack.

[Millennium]

Originally posted by utidjian:
If a vulnerability is exposed for say, Apache, why shouldn't Apple provide the update via SoftwareUpdate.app? They do for OpenSSL/SSH.
When was the last update for Apache on Mac OS X?

I don't think it was updated in 10.3.6, but I think it saw an update in the last Security Update.

Apple does not generally update one app at a time unless the vulnerability is severe. However, they have been known to update Apache as part of their system upgrades. You don't normally see these upgrades actually named after the apps they update, but you can find this information in the release notes.

Also, it's worth noting that Apache 2.0 security issues are quite rare at the moment. Although there are new releases from time to time, not all of them are security-related.

[utidjian]

Originally posted by Angus_D:
http://docs.info.apple.com/article.html?artnum=61798

Thanks for the link... I read that one regularly.

The last update to Apache seems to be for v1.3.29 in Security Update 2004-01-26. As noted in the link in a previous post (http://www.apacheweek.com/features/security-v1.3.29) there are quite a few issues in the Apache 1.3.x series. There have been updates available for Fedora Core and Red Hat Linux as they become available from Apache addressing all the issues up to and including the present ones.
Apple seems to do a bit better for Mac OS X Server and Apache 2.0.x with the last update appearing around Security Update 2004-09-07 which includes an update to Apache 2.0.50.... which still has issues since that release.
My Fedora Core and Red Hat systems are running Apache 2.0.51 the most recent patch being http://lwn.net/Alerts/103526/ This also includes patches for CAN-2004-0811 but none seem to be available for CAN-2004-0942 and CAN-2004-0885 just yet.
Apple doesn't seem to be keeping up as well. Need more?

[utidjian]

Originally posted by Millennium:
I don't think it was updated in 10.3.6, but I think it saw an update in the last Security Update.

Apple does not generally update one app at a time unless the vulnerability is severe. However, they have been known to update Apache as part of their system upgrades. You don't normally see these upgrades actually named after the apps they update, but you can find this information in the release notes.

True... they can be buried sometimes. I DO read the release notes.

Also, it's worth noting that Apache 2.0 security issues are quite rare at the moment. Although there are new releases from time to time, not all of them are security-related.

Depends on your definition of rare: http://www.apacheweek.com/features/security-20

[gatekeeper]

mi2g history
Why is mi2g so unpopular?
Hysteria roll call: mi2g
Yet Another Instance of mi2g's Incompetence
mi2g - fud, lies and libel
Experts Challenge Mi2g Security Study

[Xeo]

Originally posted by Arkham_c:
There is no reason at all to get OSX Server for what you are looking to do. I run a web server, DNS server, email server, ftp server, and database server for 5 domains on a B&W G3 running Panther and it's reliable, fast, and secure.

Server just makes it easier (ie. less work) to do all that stuff. But the real feature of OS X Server is doing a central user authentication and home directories which is not something you (cenutrio) seem to be looking for. The only extra thing you'd need to install for client is the MySQL database server and MySql.com provides a package installer for that. It's really very easy.

[besson3c]

Originally posted by cenutrio:


Any PM G4 would do it, even iMacs with an upgraded HD. Easy.

If reliability is a concern, he'd want a machine (such as the XServe) where hardware can be carefully monitored. If space is concerned, he'd want it in a rack. In both cases, an iMac is not a great choice.

Besides even when i consider myself and my friend quite knowledgeable we do not run linux servers in a daily basics, it can be trickier than it looks and using OSX apache or wherever is so much easier. That way people could be trained. There's no necessity of making things more difficult that they really are.

If you consider yourself quite knowledgeable, what webserver software would you be running under Linux/Unix? Most likely.. Apache.

I'm leaving but I think they're going to get in big s**t if the jump on the wiindows or Linux stuff.

Why do you think he would be getting into trouble by using Linux... learning curve?

[besson3c]

If you want the best possible server: FreeBSD, if you want a very good system with a shallow learning curve: OS X

I'd suggest putting the server in a climate controlled environment where the hardware can be carefully monitored. I'd suggest a rack if space is an issue. You definitely want to back stuff up, a tape drive might be good for that.

I suggest FreeBSD over OS X because it has an excellent ports/package management system which makes it easy to keep everything up-to-date. Also, instead of waiting for monolithic updates from Apple and being forced to restart at the end of the update, you can update specific services piecemeal. If uptime is a priority for you, this is a big plus.

Plus, you'll likely get the security updates faster through FreeBSD. You can review each port update on a separate machine and put it into production when you are confident that it won't break things for you. With OS X, it's sort of update and pray.

[besson3c]

Originally posted by Xeo:
Server just makes it easier (ie. less work) to do all that stuff. But the real feature of OS X Server is doing a central user authentication and home directories which is not something you (cenutrio) seem to be looking for. The only extra thing you'd need to install for client is the MySQL database server and MySql.com provides a package installer for that. It's really very easy.

If you want MySQL optimized more for your system, compiling it is sometimes better. I'd suggest either something like Fink/Portage/DarwinPorts for OS X, or the native ports management included with your Linux/Unix distro.

[ginoledesma]

If you're concerned about uptime and guaranteed availability, I'd strongly recommend you give Linux a closer look. Though Mac OS X has come a long way, one thing I dislike is having to reboot for updates to certain software packages (system, security, airport, etc). With Linux, more often than not the only time I've had to reboot is because of an updated kernel. I can upate all other packages without fear of having to reset the server. Granted, you _can_ hold off the updates, but if security is an issue to you, you'd probably be itching to update.

As for the argument on maintainability, I don't see how MySQL+Linux is any harder to administer. Linux administrators who call themselves such should be comfortable with using the terminal, especially since remotely administering it may be common. Granted, this may be harder to train to regular staff, but that's why several programs are available to make administration easier. Webmin was already mentioned (this is good for administering the server itself over the web). For the database itself, one popular tool is Phpmyadmin. Can't go wrong with that. Also, it is possible to remotely administer the database anyway from the client OS of your choice, using your choice of admin applications.

[bgotori]

Hey cenutrio

Your better off with Linux, More programmers available... We had to let go one of the programmers at my lab, left an SUDO BackDoor for himself, was found by one of our other progammers... He was trying to steal some of our data... We do Cancer Research, wasn't really a good thing. We're trying to get 10-15 yrs for that guy with BUBBA and GUIDO at the FED PEN...

Linux has faster(and more)OS updates for security!!! OS X security is really lagging. thats why we stopped using OS X. BSD is Faster(Security UpDates)and also a good way to go. But getting programmers is kind of on a short list, thats why we didn't go that way...

As far as people telling you that OS X doesn't need security updates that often they don't do any really secure type of work, PAYPAL and Banking and the like isn't very secure just look at all the problems they have(Everyday)...

But if you REALLY WANT Security UNIX is the ONLY WAY!!! No one has EVER Cracked UNIX. They'll get by the first and maybe the second system but they've got 8 more to go and now even more... Thats were we keep all our Secure data, all the Uni Secure data is on UNIX servers... All of NCI, and NIH Secure data is on UNIX servers, in fact All Gov Secure data is on UNIX servers... NORAD was the first internet on-line system, they still on-line(well kind of) and nobodys ever gotten into them...

We run the Linux servers for on-line data updates with NCI and NIH.

Oh one more thing... I Hope your NOT USING the free(so called)PCR crap that runs on OS X (the ones that run off the net), if you are, all the work your doing with them is also their's!!! So if your with some company you just gave all your work and research to them.


Good Luck!!!

Brad

[CharlesS]

Honestly, who cares? It's just a server. Linux is very good at being a server. As long as it's not a swiss-cheese Microsoft server, I really don't think this is worth fighting over.

[larkost]

bgotori: Where do you get the idea that there are more programmers for linux than there are for MacOS X? We are talking about web apps here and the exact same code that runs on linux runs on MacOS X... no changes.

Secondly, unix systems have been cracked repeatedly, and those holes are fixed. This is on ongoing thing. In fact most of the wholes are shared across the whole posix spectrum, including MacOS X. Different exploits may be unusable on some platforms (MacOS X tends to see less privilege-escalation holes than linux... the worst sort), but when something like OpenSSL is found to be comprisable the whole gamut has to correct for it: linux (all distros), Solaris, MacOS X, IRIX, the BSD's, etc...

The reason that systems like NORAD's network are not easily exploitable is because they are not generally connected to outside networks (in addition to all of the other security precautions). In order to even try and attack them you would have to defeat the physical security measures and make it to a connected terminal. At that point other methods (such as social engineering or slat out spy-work) are more effective.

While *nix servers are generally much more secure than other OS's, that is not the main reason that large institutions use it... the main reason is that *nix is one of the very few families of OS's that was developed with very large computers in mind (>4 processors). Without that, you could not run the enormous databases.

The patches for these problems are generally available to all very shortly. Apple has a great record of promptly providing patches to serious problems. They have wisely chosen to hold minor patches until there is a group to go out (keeps people from being overwhelmed and allows for better testing... see Microsoft for reasons why this is good). Do you have an example of a security hole that Apple has not patched in a timely manner?

And a lot of the patches that you can install on the fly for linux only take effect when that service is restarted. Most people don't restart the service until they restart the machine. You can also do this on MacOS X, but Apple is aiming at the common denominator.

[besson3c]

Originally posted by larkost:
bgotori: Where do you get the idea that there are more programmers for linux than there are for MacOS X? We are talking about web apps here and the exact same code that runs on linux runs on MacOS X... no changes.

Nope... x86 code will not just magically run in OS X.

The patches for these problems are generally available to all very shortly. Apple has a great record of promptly providing patches to serious problems. They have wisely chosen to hold minor patches until there is a group to go out (keeps people from being overwhelmed and allows for better testing... see Microsoft for reasons why this is good). Do you have an example of a security hole that Apple has not patched in a timely manner?

Apple is fine about releasing patches for their OS, but running a server often requires more attention to the operation of the services, not just securing the OS. It is far more efficient to download/compile service updates as they arrive, test them on a test machine, and put them into production than it is to just wait for that next Apple release that includes this update. Besides, the services that are included with Apple are often pretty behind the curve. For instance, the latest version of Apache 1.3 is 1.33, 1.29 is included with OS X client 10.3.6.

And a lot of the patches that you can install on the fly for linux only take effect when that service is restarted. Most people don't restart the service until they restart the machine. You can also do this on MacOS X, but Apple is aiming at the common denominator.

Also incorrect... I'm constantly restarting specific services after updating. Some require restarts for changes to take effect (e.g. Apache, BIND, etc.). This is just flat out wrong.

I don't know why Apple makes you restart your whole machine after many security updates, when in many cases all that is necessary is to restart the updated service.

[besson3c]

Originally posted by CharlesS:
Honestly, who cares? It's just a server. Linux is very good at being a server. As long as it's not a swiss-cheese Microsoft server, I really don't think this is worth fighting over.

It is very inconvenient in our environment here to have to plan a restart for the server, since people are connected to the server for most of the day. It is far more efficient to update and secure your system by using a ports/package management system to update services as updates/patches arrive, and restarting the service. This is a big deal.

There are other relevant considerations here when deciding between OS X and Linux/Unix. These are not decisions I'd blow off considering how the original poster has put an emphasis on security.

[cenutrio]

Originally posted by besson3c:
If reliability is a concern, he'd want a machine (such as the XServe) where hardware can be carefully monitored. If space is concerned, he'd want it in a rack. In both cases, an iMac is not a great choice.

If you consider yourself quite knowledgeable, what webserver software would you be running under Linux/Unix? Most likely.. Apache.

Why do you think he would be getting into trouble by using Linux... learning curve?

Again, the database is going to be very small, few hits/day.

Also, we are scientist here. We know how to set up apache in OS X and are very used to the hardware and software. It is not like we have much available time to set up a Linux box and learn how to handle the server in a different OS

[cenutrio]

Originally posted by bgotori:
Hey cenutrio

Oh one more thing... I Hope your NOT USING the free(so called)PCR crap that runs on OS X Good Luck!!!

Brad

Yeah, I heard about those rumors too, now you confirmed it.

We mostly use MacVector and Vector NTI.

Thanks for the feedback,

[besson3c]

Originally posted by cenutrio:
Again, the database is going to be very small, few hits/day.

Also, we are scientist here. We know how to set up apache in OS X and are very used to the hardware and software. It is not like we have much available time to set up a Linux box and learn how to handle the server in a different OS

Well, if you don't have the time to learn something new, why the thread?

[cenutrio]

Originally posted by besson3c:
Well, if you don't have the time to learn something new, why the thread?

Ok, do not get me wrong here. I love to learn new things by definition. But I'm leaving from this lab soon. My opinion is considered around here (at least my coworkers consult me about computer related problems and usually ask me to fix them). If they ask me I would like to provide quality feedback on the subject. Probably, I will just provide this link since everybody was quite fair. I think they can get many good answers from people well versed on the subject.

I just wanted feedback, and most of it was excellent, to learn about the up and downs of both options to get a knowledgeable opinion (which involves learning somehow). I think.

I have nothing against Linux. I want to make that clear.

And again thanks,

[besson3c]

Originally posted by cenutrio:
Ok, do not get me wrong here. I love to learn new things by definition. But I'm leaving from this lab soon. My opinion is considered around here (at least my coworkers consult me about computer related problems and usually ask me to fix them). If they ask me I would like to provide quality feedback on the subject. Probably, I will just provide this link since everybody was quite fair. I think they can get many good answers from people well versed on the subject.

I just wanted feedback, and most of it was excellent, to learn about the up and downs of both options to get a knowledgeable opinion (which involves learning somehow). I think.

I have nothing against Linux. I want to make that clear.

And again thanks,

For the record, I'm not advocating Linux... FreeBSD.

Linux, in addition to being a good server, seems focused on being a Desktop replacement for Windows - someday. FreeBSD is built to be a server OS, I have nothing but good thigns to say about FreeBSD as a Server.

This month's Netcraft top uptimes were FreeBSD servers.

[bgotori]

Hey cenutrio

WOW how do you find time to do any computer work... I dabbled in computers at the Old Tissue Typing Lab at UCLA setup all the hardware systems(No software and Not Good at it)for the Typing Lab, kind of a full time job...

Got back to doing science, when Varmus was ending his time a NIH... Can't see being able to do both at once... Doesn't your company think your wasting their Money doing both, or is the company a start-up... Once I got back into science, the only time I have to play on a computer is when my data sets are running, and I need a break to clear the head, and than it just to look on the Web Boards...hahaha

As far a PCR stuff, we don't do any of that... We're developing a genetic test method that uses whole blood cells just spun down(Not at Full Speed)and pulled(Yea their still alive non-buffered) .


Good Luck with your New JOB!!!
Whoever gets you is getting a bounce!!!

Brad

[bgotori]

opps