The security blame game

You can't turn Windows' installed base on a dime, but you can turn it eventually. In four or five years, the true nature of the struggle between the methodologies of Microsoft and the open source community may finally begin to emerge. My hunch is that both strategies will produce reliable and secure software, and that competition between them will benefit everyone. Neither strategy will deliver perfect security, of course, because no such thing exists. We'll always be assessing risks and making trade-offs. [http://www.infoworld.com/article/03/09/05/35OPstrategic_1.htm]
Last week's column provoked more than the usual number of responses. Here are some of them.

Dan Gaters:

While any OS might be vulnerable to security attacks to some extent, the problem is that the OS that dominates 95% of the market has been quite problematic for over a decade.

From a hacker's POV if the market looks like:

Windows: 95%
Others: 5%

it's easy to see what would get targeted.

However, if the market looked like this:

Windows 9/XP: 35%
SuSE/Debian/Mandrake: 20%
Mac OS 9/X: 20%
Red Hat: 15%
*BSD: 5%
Others: 5%

the target would not be so obvious, given the fact that methods of attack and conduits of transmission would not be predictably the same. From agriculture to finance, we try to avoid monoculture, why do we foolishly tolerate it software?

Dan, I agree. Monoculture delivers economies of scale by externalizing costs, but the costs don't go away. And yet...it's seductive. See next letter.

Aaron Cohen

I enjoyed reading your article "Security blame games" but I noticed that it mentioned that :

"If more people used Linux and/or Mac OS X, more attackers would exploit the vulnerabilities of these systems."

This is where the fact that there are multiple distributions/flavors of Linux comes in handy. Yes, there will be more viruses that will be aimed at linux, but not all distributions will have the same security holes. Different distributions can run different types/configurations of software. So when a whole slew of viruses for Linux come out they will probably be aimed at a certain distribution of Linux that has that vulnerability. It is easier to switch to a different distro of Linux without the vulnerability than wait for Microsoft's next more secure operating system (Longhorn release date 2005).

Good article!

Aaron: Point taken. I must admit, though, that when trolling for a piece of software to add to my collection, I am not immune to the allure of a Windows or MacOS binary that I know will just work, versus a Linux binary or source download with unknown version and dependency issues. Monoculture may be an unhealthy vice, but it has its virtues too.

Jim Mooney

The premise of your article is unfounded.

You state that if Macs were the majority, that there would be viruses for it as well.

There is no basis for that "fact". It is not a fact at all.

You are misleading your readers.

The fact is there are no viruses for Mac OS X provided you are Microsoft-free (some nasty scripting problems with Outlook and Entrourage which due to Microsofts poor programming standards allowed to trickle in). Any updates are done automatically and allow the user to continuously be a safe computer user. There is no need for a user to go out of their way, it just works and updates itself.

There are a lot of journalists writing about OS X and Macs and they indeed do not know the real facts. Perhaps you could take 10 minutes and do some research and perhaps try using a Mac for a day (safely may I add).

Jim: I do use a Mac, every day. Also Windows. Also Linux.

Ralph Loader

You wrote:

If more people used Linux and/or Mac OS X, more attackers would exploit the vulnerabilities of these systems.

eventually drawing the conclusion that

... any dominant software player would have created a similar mess.

This is easily seen to be wrong. For web serving software, Apache is the dominant player, with Microsoft's product in a distant minority, but still dominating real life security problems.

Examining my web server logs for connections from web server worms, I see hundreds of hits per day from compromised machines running MS software, and a few a year from others. On that metric, MS web servers are tens of thousands times worse than the more popular Apache web server.

In any case, the number of attackers writing viruses or worms that exploit vulnerabilities of a system seems pretty irrelevant. It only takes one worm written by one person to propagate over the Internet and cause havoc.

To my mind, the old adage "quality not quantity" sums up this matter well.

Ralph: Points well taken. I completely agree that the open source methodology of collaboration and review produces software that is inherently more secure, and that gets fixed faster when vulnerabilities do surface. The question that we'll never be able to answer is: Would these qualities have emerged had open source not been an intense competitive reaction to the disastrous results produced by Microsoft's methodology, which the Trustworthy Computing initiative by its very existence admits was shoddy? A question that we will be able to answer in a couple of years, I think, is: What happens when a well-funded organization brings military discipline to bear on the problem of building secure and reliable software? Competition cuts both ways. We need an open source movement to challenge Microsoft, but we need a Microsoft to keep open source on its toes too. Example: buffer overflows continue to create vexing security problems on all platforms. Managed code is not a panacea, but it sure helps. And the next version of ASP.NET is entirely a managed application. My point is not that Microsoft is blame-free. It patently is not. Rather, my point is that open source has pushed Microsoft to evolve in ways beneficial to everybody, and that Microsoft can (and I hope will) do the same for open source.

Doug Glenn

You're correct in that as Linux grows larger more worms or viruses will be targeted to it. You're also correct that the competition from Linux is causing Microsoft to finally begin reviewing its code and making it more secure. It may take a couple of years, but they will get it right eventually although it may take a rewrite from the ground up. They will even reach a point where they have as good security as the unices. But I believe by the time they reach that point, the migration to a OSS-based platform will have gone beyond critical mass and start them on a long downward spiral.

What I also believe, is that without competition from Linux, MS would have continued to go on with business as usual.

Doug: My crystal ball is cloudier than yours when it comes to predicting the fate of OSS relative to MS. But we agree that the competition is healthy.

Tracy Reed

You wrote:

Open source software partisans never seem to follow their argument to its logical conclusion, however. If more people used Linux and/or Mac OS X, more attackers would exploit the vulnerabilities of these systems.

Ah, but that is NOT the logical conclusion because open source software has FAR fewer vulnerabilities. Our email programs are not designed to automatically execute attachments or render HTML in a preview pane nor do we routinely operate our computers with administrator rights. These simple things make a HUGE difference in our susceptibility to viruses and worms.

Plus Linux is developing important new security technologies while Microsoft does nothing. Linux 2.6 has a system called SE Linux built into it. It is basically a system of important security restrictions which prevent programs from doing things they normally should not do. Are you familiar with Linux/Unix at all? Telnet to ultraviolet.org with username root and password root. Try to undermine the system in some way. You will find that you are unable to. Now that's impressive security! :)

Tracy: The default behavior of Microsoft email clients has been an unmitigated disaster, no argument there. Likewise the fact that a Windows user was historically a superuser by default. The questions now before us: Are things changing? Answer: Yes. How fast? Answer: Not fast enough.

I think Security-enhanced Linux is a great idea. But I wouldn't agree that Microsoft has "done nothing" in this area. The .NET managed-code initiative, with its emphasis on evidence-based secure code paths, is one important example. Palladium is another. The ultimate foundation for bulletproof security is, of course, a secure kernel that works hand-in-hand with securable hardware. Opponents of DRM (digital rights management) wish that Microsoft were doing less, not more, along these lines!

Craig Franklin

I am a Linux user. I agree with most of what you said in your article. The lack of competition is the major problem that created this mess.

We are angry because Microsoft has let these problems languish for years. They haven't needed to fix them, because there has been no real competition.

Why wouldn't we be angry? We were forced to buy a flawed product with an excessively high price.

Microsoft has been able to accumulate more than 49 billion dollars, while basic problems existed in its products. Their efforts are focused at maintaining their position in the market, not improving their products.

Microsoft should make money, but until they stop abusing their monopoly, expect more criticism when the next Sobig hits.

Craig: Agreed. When the next Sobig hits, Microsoft will have earned the criticism it receives.


Former URL: http://weblog.infoworld.com/udell/2003/09/08.html#a793