[Linux-aus] Now tell the rest of the story...

Tue Mar 23 08:44:02 UTC 2004

    http://www.linuxworld.com.au/index.php/id;1607539824

> "The reason viruses are written for Microsoft is because most people use
> it," Steckler said. "If 90 percent [of software] was open source there would
> be just as many attacks, only worse. Imagine smart hackers with [access to]
> source code."    

The vast majority of viruses arrive by email. The single most-used email 
client is Microsoft Outlook. Outlook's security sucks (as in, "it could 
suck-start a leaf blower", to borrow a quote from True Lies). People write 
viruses for Outlook because they _can_. In security terms, it's as easy as 
pushing ducklings into a pike pond.

The simple fact of life is that if you eliminate Outlook you eliminate most 
viruses - and therefore also most of Symantec's market. I would not expect a 
Symantec exec (or Sophos exec, Norton exec etc) to come out and say that, 
because amongst other things it would be just about demanding a suit from a 
disgruntled shareholder. True statement, Vince?

As well as not being designed from the days of MS-DOS to have security that 
sucks, the Open Source email clients have several positive attributes which 
are important for security. One of them is that their security is checked by 
people with a wide-ranging diversity of methods and opinions, another is that 
there are many of them, with no single client dominant. This makes them more 
rugged and massively dilutes any monoculture effects.

Smart hackers (and smart crackers, even though that sounds like a 
contradiction in terms) have access to the sources for Outlook, as well as 
(naturally) to all of the Open Source clients. The difference is, the 
white-hats don't have anything like as much exposure to Outlook's source or 
opportunity to effect repairs to it as the black hats have exposure and 
opportunity to break it.

It's the good old "if guns were closed source, only crackers would have guns" 
scenario. If the full source for Outlook were officially published, there 
would be a monstrous rash of exploits which tailed off to near zero after a 
few months as white-hats who are forced to use and support it regardless of 
personal preference contribute patches to harden it. I say "near zero" 
because the architecture is fundamentally ramshackle: true security awaits a 
complete rewrite.

> "We don't see as many [security] patches for open source because of its
> market penetration and security companies are writing software for 90
> percent of the market," Krasovitsky said.  

We see heaps of security patches for open source now, and have done for many 
years - evidently Greg's not looking in the right places. My Mandrake Linux 
servers automagically apply more than a patch a week to themselves. The 
difference is in the scale of the vulnerabilities and the modularity of the 
software involved.

Far fewer of the security issues are legs-in-the-air showstoppers, and it's 
far easy to make a nice, modular, testable patch which fixes the problem 
without breaking anything else.

From the incestuous innards of Microsoft Windows comes side-effect after 
side-effect as the security engineers try to replace a single card in this 
massive house of cards without bringing the whole edifice crashing down. 
Patch re-releases are legion, but I can only remember one major open source 
patch being re-released and that wasn't because of side-effects, it was 
because there was more to fix.

I remember Microsoft's Vinod Vallopillil noting that "Any idiot could write a 
driver in 2 days with a book like 'Linux Device Drivers' -- there is no such 
thing as a 2-day device-driver for NT". Software that much more accessible is 
much easier to manage, and it follows that it is also much more likely to be 
secure.

As an example, a fixed version of KDE was released 90 minutes after one 
security flaw was detected, and to paraphrase Vinod, "there is no such thing 
as a 90-minute patch from Microsoft".

Cheers; Leon