fiag：linux下没有病毒防御工具，不知是喜是忧。不是主流也可能是原因吧，也许病毒作者都喜欢挑战M$吧。
回到原帖

有啊。

既有 ClamAV 这种开源的，也有 Kaspersky、McAfee 和 CA eTrust 这样的商业软件。

Mi2g Ltd 公司自己就是个说谎精，不值得相信。

这个说法有甚么根据吗？

是 Mi2g Ltd 说谎，还是你在乱说，大家应该能自行判断吧。

netdream：哈哈，我也在我们实验室推广，不过现在只有一个客户，其他人Maxthon之类都不会用，推广难度还是比较大的。回到原帖

晕哦 ，剽窃我的头像啊。拿钱来。。。

这个说法有甚么根据吗？

是 Mi2g Ltd 说谎，还是你在乱说，大家应该能自行判断吧。

我只是说 Mi2g Ltd 不太对劲。其它咨询公司包括 Yankee 说 Linux 不好的报告，至少都能自圆其说。

至于 Linux 的安全性，我没什么看法。

http://attrition.org/errata/charlatan/mi2g-history.html

Security company mi2g is fond of telling customers and the media that it has been "collecting data since 1995". This is a clear distortion of facts, made up by combining their current business with the fact the business was originally founded in 1995. However, if you look at their history, you will see that they were not doing security work in 1995 and very likely not collecting attack data. Look at a brief history of mi2g and a cornerstone of their lies:
Aside from selling security services and information, their other business is selling automotive information:

http://www.carlounge.com

Carlounge was one of mi2g's original businesses (circa 1996). Started as a message board/portal thingy:

http://web.archive.org/web/199812020501 ... /setup.htm

They also operated a cheesy search engine called Middle East Information Database Search (MIDAS):

http://web.archive.org/web/199612280237 ... .mi2g.com/

At the time, Chairman DK Matai was working on his PhD in "high-performance computing (HPC)" in 1996:

http://web.archive.org/web/199612192201 ... .mi2g.com/

In short, mi2g looked like a wanna-be website/e-commerce development company (motto: Bringing The Web To The World) until about 1999.

Suddenly, mi2g morphed into a "security intelligence provider":

http://web.archive.org/web/199910130629 ... /mi2g.com/

    "By integrating state-of-the-art software engineering technology with super computing capability, mi2g is revolutionising the world of eCommerce and for the first time maximising the return from the internet whilst minimising the risk. mi2g software is a London based eRisk management enterprise that is at the leading edge of building secure on-line trading, broking and banking architectures around the world."

At the same time Matai appears to have morphed his academic program. According to this 1999 page, Matai had dropped HPC and was "in the process of submitting his PhD thesis on The Creation and Protection of Online Wealth in Computing at Imperial College (London University)":

http://web.archive.org/web/199904220258 ... /mi2g.com/

Matai's PHD was submitted between 1995-1999 according to one press release. In 2003, there is still no reference to Matai with a PhD title. Looking at one of the sparse references to "Matai + PhD", this March 2003 Complexity Digest quotes Matai w/o a PhD title, while quoting several others as such. I'm sure that if Matai had actually finished the PhD he had been touting, he would have requested credit as such.

mi2g is quite up front about the fact that hey learned everything they know about security from running Carlounge:

http://web.archive.org/web/199910130629 ... /mi2g.com/

    "Through the counter-attack techniques developed on mi2g lounges^Ù, which have 3½ Million users to protect and grow, the SIPS team is continuously identifying where the emerging weak points are in the threat from the internet and computer dial-in."

E.g. in 1999 mi2g pulled some numbers out of its arse, "There have been over 1,700 serious attacks world-wide in the first half of this year, costing more than £4.3 billion":

http://web.archive.org/web/199910130629 ... /mi2g.com/

Why is this figure important? Checking the Attrition defacement mirror, you will find we recorded 3746 defacements in 1999. Divide by 2 and you get 1837, which is conveniently close to their "over 1,700" number. Given they had no public quotes or evidence of being in the security field, or tracking attacks.. this number is very suspect.

In summary, mi2g has not been in the security industry since 1995. The continued claims of collecting data that far back are unsubstantiated and unverified. DK Matai's insistance of working on a PhD in information security appear to be nothing more than wishful thinking. These are cornerstones of mi2g's claims of being experts in the field, and appear to be lies.

实际上咨询公司的东西，也就是那么回事。

我以前还见过，同一间公司，一个部门抛出报告说 Linux 的 TCO 很高，另一个部门却用自己内部部署 Linux 降低 TCO 的案例（好象是 IM 应用？）大力推销 Linux。

自圆其说是甚么意思？数据显示 linux 不安全，但自圆其说 linux 安全？

[quote]
...

你引用的文章是关于 Mi2g Ltd 到底是在 1995 年，还是在 1999 年才开始安全有关业务，与这个安全报告有多大关系？

"Mi2g Ltd 告诉客户在 1995 年开始安全有关业务，但有人指出其实 Mi2g Ltd 在 1999 年才开始安全有关业务"，这样的指控是否属实也不知道，又怎能用来否定 Mi2g Ltd 2004 年的安全调查报告？

如果有一些指 Mi2g Ltd 的任何调查报告不正确的文章，可以贴出来，或许还有些参考价值。

自圆其说是甚么意思？数据显示 linux 不安全，但自圆其说 linux 安全？

我说的自圆其说，就是自圆其说的本意，报告内部并无逻辑问题。有人可能会质疑报告本身采用的方法，但那是另一回事。

就是说，报告前面说我出生于 2000 年，后面说我今年 5 岁，那就是自圆其说；如果后面说我今年 1 岁，那就是不能自圆其说，因为今年是 2005 年。

[quote="abc@home"]
你引用的文章是关于 Mi2g Ltd 到底是在 1995 年，还是在 1999 年才开始安全有关业务，与这个安全报告有多大关系？

"Mi2g Ltd 告诉客户在 1995 年开始安全有关业务，但有人指出其实 Mi2g Ltd 在 1999 年才开始安全有关业务"，这样的指控是否属实也不知道，又怎能用来否定 Mi2g Ltd 2004 年的安全调查报告？

如果有一些指 Mi2g Ltd 的任何调查报告不正确的文章，可以贴出来，或许还有些参考价值。[/quote]

我记得 Mi2g 得出 Linux 最不安全的这份调查报告，声称其用于分析的数据是从 1995 年开始亲自搜集的。

所以我说它不能自圆其说。

至于这份指控，其数据来源都是 archive.org 保存的历年 Mi2g 官方网站上的页面，应该还是比较可靠的。

当然，也不能排除 Mi2g 的地下党式秘密安全研究是从 1995 年开始，直到 1999 年才转入公开状态。

总之，就和你说的那样，大家应该能自行判断吧。

>我记得 Mi2g 得出 Linux 最不安全的这份调查报告，声称其用于分析的数据是从 1995 年开始亲自搜集的。

查了一下网上的文站（但没看到报告原文），这一句似乎记忆有误，可能数据样本是 2003 年到 2004 年的某段时间取得的。

不过 Mi2g 号称从 1995 年开始安全研究，但实际上从 1999 年开始，那就仍然是说谎。

Mi2g公司对2003年11月份-2004年10月份期间对针对全球范围内联网计算机系统的235907起攻击事件进行了分析。在这次研究的 235907起攻击事件中，65.64%的攻击事件－－也就是154846起攻击事件是针对Linux系统的，针对Windows系统的攻击事件占了 25.19%，而Mac OS X或BSD Unix的比例只有4.82%。

这个报告好象只计算了手工入侵，病毒和蠕虫攻破的系统并未计入？否则就不知道针对 Linux 的攻击怎么会比针对 Windows 的多了。

不知道 Mi2g 是怎么统计的。原文是不是要付费，网上似乎没见到。

>我记得 Mi2g 得出 Linux 最不安全的这份调查报告，声称其用于分析的数据是从 1995 年开始亲自搜集的。

查了一下网上的文站（但没看到报告原文），这一句似乎记忆有误，可能数据样本是 2003 年到 2004 年的某段时间取得的。

那你便认真读一片吧：

不过 Mi2g 号称从 1995 年开始安全研究，但实际上从 1999 年开始，那就仍然是说谎。

这家公司有否欺骗客户，我不清楚，没意见。

至于这个报告是否伪造，我也不清楚，大家自行判断好了。

这家公司有否欺骗客户，我不清楚，没意见。

至于这个报告是否伪造，我也不清楚，大家自行判断好了。

统计的结果大家都看到了，至于统计的究竟是什么东西，究竟是一个什么样的人在出具报告，那就不清楚，呵呵。

我也能给几个统计证明 Linux 比 Windows 安全得多。那又怎么样呢？无非你再给两个统计证明 Windows 比 Linux 安全的多。

结果什么也不代表不了，只能说明我们总是可以通过精心选择统计内容来控制统计结果。

由 Linux 用户投票得出的统计结果

Behind The Numbers: Linux Gets High Marks For Security
http://www.informationweek.com/shared/p ... =165700960

CERT 漏洞数据库统计。这篇文章采用的是发表时的数据，比较老。按照 CERT 的规则，评级在 40 或以上的漏洞被认为相当严重。刚查了一下，如果我没有数错的话，Windows 漏洞总数 250，严重程度在 40 以上的漏洞 36 个，Redhat 总数 57，严重程度在 40 以上的漏洞 3 个，Linux 漏洞总数 120，严重程度在 40 以上的漏洞 6 个。

难道这就能证明 Linux 比 Windows 更安全？我看未必。

http://www.theregister.co.uk/security/s ... inux/#cert
CERT Vulnerability Notes Database Results

The United States Computer Emergency Readiness Team (CERT) uses its own set of metrics to evaluate the severity of any given security flaw. A number between 0 and 180 expresses the final metric, where the number 180 represents the most serious vulnerability. The ranking is not linear. In other words, a vulnerability ranked 100 is not twice as serious as a vulnerability ranked at 50.

CERT considers any vulnerability with a score of 40 or higher to be serious enough to be a candidate for a special CERT Advisory and US-CERT technical alert.

We queried the CERT database using the search terms "Microsoft", "Red Hat", and "Linux". [9] While the CERT web search capabilities do not produce perfectly desirable results in terms of granularity or longevity. This is especially true for the search results for "Red Hat" and "Linux". The "Linux" search results include a number of Oracle security vulnerabilities that are common to Linux, UNIX, and Windows. The details of the most severe "Red Hat" entry does not even list Red Hat as a vulnerable system. The results for the "Microsoft" search seem to be almost entirely accurate, inasmuch as both the details and entries refer to flaws in Microsoft-specific software. As a result, the results are somewhat unfairly skewed against Linux and Red Hat. Nevertheless, even if one takes the results at face value and ignores the skewed results for Linux and Red Hat, Microsoft still produces the most entries in the CERT database, and the list of entries contain the most severe flaws.

The CERT results for "Microsoft" returned 250 entries, with the top two entries containing the severity metric of 94.5. Thirty-nine entries have a severity rating of 40 or greater. The average severity rating for the top 40 entries is 54.67. (We chose to average 40 entries instead of 50 or more because the Red Hat search only returned 49 results.)

The CERT results for "Red Hat" returned 46 entries. The top entry has a severity metric of 108.16. Only 3 (vs. 39 for Microsoft) entries have a metric of 40 or greater. The average severity for the top 40 entries is 17.96.

The CERT results for the "Linux" search returned 100 entries. The top entry has a severity metric of 87.72. Only 6 of the entries carry a severity metric of 40 or greater. The average severity for the top 40 entries is 28.48.

These results cannot be expected to mirror our own analysis of recent vulnerability patches. The CERT search criteria and date ordering is different, and the CERT search does not confine the products to Windows Server 2003 and Red Hat Enterprise Linux AS v.3. But the CERT results reflect how Windows security flaws tend to be far more frequently severe than those of Linux, which echoes our conclusions.

coverity 公司的静态代码扫描工具报告的缺陷数量，Snopsys、Oracle、Wind River、nVidia、VMWare、Veritas 都是这公司的客户。

那个版本的 Linux 内核的代码共 570 万行，发现 985 个 bug。规模相当的商业软件 bug 数量在 5700 到 40000 之间。也就是说，Linux 内核的质量比商业软件强得多。

coverity 前两天刚发布的结果，新版本的 2.6.12 内核源代码 630 万行，缺陷率进一步减少 2%。

http://www.informationweek.com/shared/p ... =167100724
http://linuxbugs.coverity.com/linuxbugs.htm
http://news.com.com/2102-1002_3-5489804 ... util.print

Security research suggests Linux has fewer flaws

By Robert Lemos
http://news.com.com/Security+research+s ... 89804.html

Story last modified Mon Dec 13 17:57:00 PST 2004


The Linux operating system has many times fewer bugs than typical commercial software, according to an upcoming report.

The conclusion is the result of a four-year research project conducted by code-analysis company Coverity, which plans to release its report on Tuesday. The project found 985 bugs in the 5.7 million lines of code that make up the latest version of the Linux core operating system, or kernel. A typical commercial program of similar size usually has more than 5,000 flaws or defects, according to data from Carnegie Mellon University.

"Linux is a very good system in terms of bug density," said Seth Hallem, CEO of Coverity, a San Francisco company that makes flaw-detection tools for software written in C and C++ programming languages.

Code-analysis tools typically use software-design principles to analyze a program's source code and flag any possible problems. Microsoft already uses such tools widely in its internal development, and many compilers are starting to include rudimentary versions of the programs as well. The tools are also being used to tame the wild coding prevalent around the Web.

Though Coverity does not have any data about the relative frequency of flaws in Microsoft's Windows operating system, the latest data will likely feed the debate between the various proponents of Linux, Mac OS X and Windows over which operating system is more secure.

A recent report, for example, found that Red Hat Linux had fewer critical flaws than Microsoft Windows. Another research paper, prepared by Forrester Research and hosted on Microsoft's Web site, favored Windows. Yet another code analysis firm, however, last year analyzed the core networking code used in Linux and found few flaws.

Coverity has not analyzed the source code to Microsoft Windows because the company does not have access to the source code, Hallem said. Apple Computer's Mac OS X has a great deal of proprietary programming, but the core of the operating system is based on BSD, an open-source operating system similar to Linux.

Hallem stressed that the research on Linux--specifically, version 2.6 of the kernel--indicated that the open-source development process produced a secure operating system.

"There are other public reports that describe the bug density of Windows, and I would say that Linux is comparable or better than Windows," he said.

A representative of Microsoft could not immediately comment on the Coverity study.

The research suggests that the Linux kernel scored better than run-of-the-mill commercial code. Proprietary software, in general, has 1 to 7 flaws per thousand lines of code, according to an April report from the National Cybersecurity Partnership's Working Group on the Software Lifecycle, which cited an analysis of development methods by the Software Engineering Institute at Carnegie Mellon University.

For a 5.7 million-line program, such as version 2.6 of the Linux kernel, that roughly adds up to between 5,700 and 40,000 flaws.

Microsoft uses analysis tools similar to those in Coverity's study to vet its Windows code. One tool, known as PREfast, runs on each developer's workstation to check code for simple problems. The other tool, PREfix, is run every night on the Windows source code to catch more complex issues.

Coverity's Hallem acknowledged that by running similar tools to its own, Microsoft likely had reduced the number of defects in Windows.

Coverity plans to provide regular bug analysis reports on Linux and make a summary of the results available to the Linux developer community.

mopz0506：回到原帖

那就说有统计显示 windows 的 flaw 比 linux 的多，但 linux 的被入侵个案反而比 windows 多。

呵呵，这现象怎样解释我就不清楚了。

linux的诞生就具有黑客色彩，当然很多黑客类的酷客的手工攻击比windows的多。

但是linux漏洞可以得到很快的修复，这可能是在linux下自动化攻击无法泛滥的一个原因吧。

那就说有统计显示 windows 的 flaw 比 linux 的多，但 linux 的被入侵个案反而比 windows 多。

呵呵，这现象怎样解释我就不清楚了。

呵呵，无法看到收费原文，估计很难搞清楚那些统计数字到底是怎么算出来的，数据样本又是怎么得来的，因此意义大打折扣。

前面我也说，

这个报告好象只计算了手工入侵，病毒和蠕虫攻破的系统并未计入？否则就不知道针对 Linux 的攻击怎么会比针对 Windows 的多了。

尽管即使仅计算手工入侵，这个结果仍然让我吃惊。个人经验，网上的 Script Kid，对 3389 比 ssh 熟悉得多。

所以我说，统计数字对大多数人来说没什么意义的，而且对统计者的人品要求很高。而 Mi2g Ltd，我感觉刚好属于人品不太好的那一类。

即使统计者并非存心误导，要正确理解统计结果的意义，仍然要求读者对统计的对象有程度很深的相关知识，否则无法分辨其正确性和合理性。

因此性能测试、统计数字、TCO 数字这类东西，看看就算了，没必要当真，更没有必要以此为依据，质问对方 "有统计支持吗"  

desatan：linux的诞生就具有黑客色彩，当然很多黑客类的酷客的手工攻击比windows的多。
回到原帖

很难说。

就跟 Windows 容易受到攻击是因为使用太广泛 一样，听起来很合理，但也许是想当然。

[quote="desatan"]
但是linux漏洞可以得到很快的修复，这可能是在linux下自动化攻击无法泛滥的一个原因吧。[/quote]

关于谁修复漏洞更快，不同的统计，得出了完全相反的结论。相信谁取决于你。