[Linux-aus] Now tell the rest of the story...
Leon Brooks
leon-olc at cyberknights.com.au
Tue Mar 23 08:44:02 UTC 2004
http://www.linuxworld.com.au/index.php/id;1607539824
> "The reason viruses are written for Microsoft is because most people use
> it," Steckler said. "If 90 percent [of software] was open source there would
> be just as many attacks, only worse. Imagine smart hackers with [access to]
> source code."
The vast majority of viruses arrive by email. The single most-used email
client is Microsoft Outlook. Outlook's security sucks (as in, "it could
suck-start a leaf blower", to borrow a quote from True Lies). People write
viruses for Outlook because they _can_. In security terms, it's as easy as
pushing ducklings into a pike pond.
The simple fact of life is that if you eliminate Outlook you eliminate most
viruses - and therefore also most of Symantec's market. I would not expect a
Symantec exec (or Sophos exec, Norton exec etc) to come out and say that,
because amongst other things it would be just about demanding a suit from a
disgruntled shareholder. True statement, Vince?
As well as not being designed from the days of MS-DOS to have security that
sucks, the Open Source email clients have several positive attributes which
are important for security. One of them is that their security is checked by
people with a wide-ranging diversity of methods and opinions, another is that
there are many of them, with no single client dominant. This makes them more
rugged and massively dilutes any monoculture effects.
Smart hackers (and smart crackers, even though that sounds like a
contradiction in terms) have access to the sources for Outlook, as well as
(naturally) to all of the Open Source clients. The difference is, the
white-hats don't have anything like as much exposure to Outlook's source or
opportunity to effect repairs to it as the black hats have exposure and
opportunity to break it.
It's the good old "if guns were closed source, only crackers would have guns"
scenario. If the full source for Outlook were officially published, there
would be a monstrous rash of exploits which tailed off to near zero after a
few months as white-hats who are forced to use and support it regardless of
personal preference contribute patches to harden it. I say "near zero"
because the architecture is fundamentally ramshackle: true security awaits a
complete rewrite.
> "We don't see as many [security] patches for open source because of its
> market penetration and security companies are writing software for 90
> percent of the market," Krasovitsky said.
We see heaps of security patches for open source now, and have done for many
years - evidently Greg's not looking in the right places. My Mandrake Linux
servers automagically apply more than a patch a week to themselves. The
difference is in the scale of the vulnerabilities and the modularity of the
software involved.
Far fewer of the security issues are legs-in-the-air showstoppers, and it's
far easy to make a nice, modular, testable patch which fixes the problem
without breaking anything else.
From the incestuous innards of Microsoft Windows comes side-effect after
side-effect as the security engineers try to replace a single card in this
massive house of cards without bringing the whole edifice crashing down.
Patch re-releases are legion, but I can only remember one major open source
patch being re-released and that wasn't because of side-effects, it was
because there was more to fix.
I remember Microsoft's Vinod Vallopillil noting that "Any idiot could write a
driver in 2 days with a book like 'Linux Device Drivers' -- there is no such
thing as a 2-day device-driver for NT". Software that much more accessible is
much easier to manage, and it follows that it is also much more likely to be
secure.
As an example, a fixed version of KDE was released 90 minutes after one
security flaw was detected, and to paraphrase Vinod, "there is no such thing
as a 90-minute patch from Microsoft".
Cheers; Leon
More information about the linux-aus
mailing list