Editor's Note: No One Gets Out Alive!Mar 25, 2005, 23:30 (18 Talkback[s])
(Other stories by Brian Proffitt)
By Brian Proffitt
... that's the thing about Life.
This somewhat stark view is what usually gets me by on a trying and troubling day. It's extremely pragmatic, and very likely cynical, but it helps me put things into proper perspective. At the end of it all, did it really matter that I forgot to take out the trash?
This personal philosophy can also be applied to flaws, bugs, and holes that people find in software. All software, I would stipulate, has at least one bug. And, since it only takes one flaw to exploit software, you could make the case that all software is equally insecure.
[Enter dark grey clouds of doom, fire, and destruction]
But Brian, you say, didn't you just get back from vacation? Didn't you have a good time? Why are you being all Frank Miller?
Well, the answers are yes, yes, and because when I got back it was time for another round of Security Wars, with Linux and Firefox as the targets. And, frankly, having been away from the fray for a week, the arguments seemed all that much more silly.
In the oft-cited Security Innovations report, the number of bugs found in Red Hat vs. Windows 2003 was specified as more problematic for Red Hat. More bugs is a bad thing, according to the logic of a five-year-old or the context of the report, however you want to label it.
Context is always a tricky, tricky thing. I could write here that I honestly walked the Appalachian Trail this past week, and it would not be a lie. If you dug a little deeper, however, you would realize that no one could walk the entire 2,000+ mile trail in just under a week. (Few people have actually made the entire trail walk at all.) So, if you kept digging, I would clarify the context: that I was on the trail for a little more than 25 yards as it wound from the parking lot at Newfound Gap to the bathroom shelter. Not so glamorous, but it does not belie my original statement, either.
So, there are more reported bugs in Red Hat than Windows. This, I don't doubt. Because if you step back for a moment and think, you would realize that Red Hat's (and, indeed, all of Linux') known bugs are a good thing--because we know about them. How many bugs are in Windows 2003 that don't get reported? Or, when they are found, actually get repaired?
Some would say this is a specious argument, that I am claiming flaws based on zero evidence. Ah, but is it zero? After all, it isn't Linux zombies or OS X zombies that are out there throwing spam at my computer. So there's one piece of evidence. Another is the very arguments proprietary vendors have used this week when Firefox 1.0.2 came out. "Firefox is being patched!" they cry, "It must therefore be insecure!"
So, a product (open source or otherwise) finds a hole and then when it fixes it, it is somehow admitting some kind of weakness. Kind of a glass half-empty sort of argument, isn't it? But let's look at that a little harder. If that is the true thought of a proprietary vendor, it would be very safe to say that they would apply that own mentality to their own software's flaws. Admitting a flaw is weak, and patching a flaw is admitting a flaw. Better, they seem to think, if we just keep it quiet and hope no one finds it. Boy, talk about insecurity.
Of course, there is the other side of the argument that says these vendors are just being hypocritical in their statements about open source flaws. When they patch a flaw, it seems, they are making their product stronger. When open source patches a flaw, OSS developers are admitting weakness. I've seen that attitude before, too. This sort of hypocracy, however, tends to get exposed more often than vendors would like and my sense is they stick with the "let's-keep-it-quiet" mindset until the flaw is exposed.
Then along comes my next favorite argument--that Linux is not cracked more often because it has such a pittance of a market share compared the almighty Windows. Again, on the surface, that seems like a workable argument. But cracking is something that people do, and people are not always logical in their targets. I would think that given the sheer number of people the Linux community has ticked off in the past, someone with malicious intent would have come along and devised a real virus/malware/spyware attack just to shut us up.
This last argument stems from a statement from someone who hates dealing with the Linux community, calling us "smug a**holes." I'll keep this person's identity to myself, because the attitude is a bit pervasive across the IT community. Linux users, it has long been understood, are very, very strong in their advocacy. It drives others outside of the community a little batty and makes still others mad as hell.
Given this, I am finding it difficult to believe that no one has been angry enough to try to knock this chip off the community's shoulder. This may seem like schoolyard logic, but those with criminal intent in their hearts have never struck me as the most mature. The recent phpBB site hacks were the closest thing I have seen to such an attack, so we know the desire for malicious vandalism is there. Yet, for the most part, Linux/Apache servers remain largely untouched, Linux machines are not zombified en masses, and to date no one has figured out a Linux virus that works.
I should be fair and mention that some of these cracks happen regardless of OS. User error (not patching, not firewalling, etc.) leads to problems on any operating system. Here, the solution is at once both technical (don't make it so easy out of the box to get oWn3d) and educational (train users which practices are Good and which are Bad). I think Linux users typically have always had an advantage over Windows users in this education, because using Linux makes a person more savvy right out of the gate.
I will not get into the argument on how sponsorship of a study automatically infers a bias. Other writers have covered that in this past week, and I see no need to rehash. Just once, though, I would love to see a review from Consumer Reports or some other truly independent organization. But even then, a system can be made more or less secure depending on the user's actions, so such tests are debatable.
Corporation after corporation are moving to Linux, so much so that a shift in news coverage is starting to happen. Linux migration stories are becoming old hat these days. The new cutting-edge stories are the Linux-to-Windows migration stories. Think about that for a second. When was the last time Microsoft put any real publicity out about someone implementing one of their solutions? When OS/2 was up and coming? When they were moving out onto the PC? Now, it's news again when Windows gets a win.
I think this voting with dollars will be the final determinant of which OS is more appealing, more secure, and most cost-effective. And, in any campaign where the lead seems to be slipping, the real or imagined flaws of the up and coming opponent are always good fodder. But eventually, the truth will out.
[Enter bright sunshine, chirping birds (or more fire and mayhem, if that's your bag)]