Editor’s Note: No One Gets Out Alive!

By Brian Proffitt
Managing Editor

… that’s the thing about Life.

This somewhat stark view is what usually gets me by on a trying
and troubling day. It’s extremely pragmatic, and very likely
cynical, but it helps me put things into proper perspective. At the
end of it all, did it really matter that I forgot to take out the
trash?

This personal philosophy can also be applied to flaws, bugs, and
holes that people find in software. All software, I would
stipulate, has at least one bug. And, since it only takes one flaw
to exploit software, you could make the case that all software is
equally insecure.

[Enter dark grey clouds of doom, fire, and destruction]

But Brian, you say, didn’t you just get back from vacation?
Didn’t you have a good time? Why are you being all Frank
Miller?

Well, the answers are yes, yes, and because when I got back it
was time for another round of Security Wars, with Linux and Firefox
as the targets. And, frankly, having been away from the fray for a
week, the arguments seemed all that much more silly.

In the oft-cited Security Innovations report, the number of bugs
found in Red Hat vs. Windows 2003 was specified as more problematic
for Red Hat. More bugs is a bad thing, according to the logic of a
five-year-old or the context of the report, however you want to
label it.

Context is always a tricky, tricky thing. I could write here
that I honestly walked the Appalachian Trail this past week, and it
would not be a lie. If you dug a little deeper, however, you would
realize that no one could walk the entire 2,000+ mile trail in just
under a week. (Few people have actually made the entire trail walk
at all.) So, if you kept digging, I would clarify the context: that
I was on the trail for a little more than 25 yards as it wound from
the parking lot at Newfound Gap to the bathroom shelter. Not so
glamorous, but it does not belie my original statement, either.

So, there are more reported bugs in Red Hat than Windows. This,
I don’t doubt. Because if you step back for a moment and think, you
would realize that Red Hat’s (and, indeed, all of Linux’) known
bugs are a good thing–because we know about them. How
many bugs are in Windows 2003 that don’t get reported? Or, when
they are found, actually get repaired?

Some would say this is a specious argument, that I am claiming
flaws based on zero evidence. Ah, but is it zero? After all, it
isn’t Linux zombies or OS X zombies that are out there throwing
spam at my computer. So there’s one piece of evidence. Another is
the very arguments proprietary vendors have used this week when
Firefox 1.0.2 came out. “Firefox is being patched!” they cry, “It
must therefore be insecure!”

So, a product (open source or otherwise) finds a hole and then
when it fixes it, it is somehow admitting some kind of weakness.
Kind of a glass half-empty sort of argument, isn’t it? But let’s
look at that a little harder. If that is the true thought of a
proprietary vendor, it would be very safe to say that they would
apply that own mentality to their own software’s flaws. Admitting a
flaw is weak, and patching a flaw is admitting a flaw. Better, they
seem to think, if we just keep it quiet and hope no one finds it.
Boy, talk about insecurity.

Of course, there is the other side of the argument that says
these vendors are just being hypocritical in their statements about
open source flaws. When they patch a flaw, it seems, they
are making their product stronger. When open source
patches a flaw, OSS developers are admitting weakness. I’ve seen
that attitude before, too. This sort of hypocracy, however, tends
to get exposed more often than vendors would like and my sense is
they stick with the “let’s-keep-it-quiet” mindset until the flaw is
exposed.

Then along comes my next favorite argument–that Linux is not
cracked more often because it has such a pittance of a market share
compared the almighty Windows. Again, on the surface, that seems
like a workable argument. But cracking is something that people do,
and people are not always logical in their targets. I would think
that given the sheer number of people the Linux community has
ticked off in the past, someone with malicious intent would have
come along and devised a real virus/malware/spyware attack just
to shut us up.

This last argument stems from a statement from someone who hates
dealing with the Linux community, calling us “smug a**holes.” I’ll
keep this person’s identity to myself, because the attitude is a
bit pervasive across the IT community. Linux users, it has long
been understood, are very, very strong in their advocacy. It drives
others outside of the community a little batty and makes still
others mad as hell.

Given this, I am finding it difficult to believe that no one has
been angry enough to try to knock this chip off the community’s
shoulder. This may seem like schoolyard logic, but those with
criminal intent in their hearts have never struck me as the most
mature. The recent phpBB site hacks were the closest thing I have
seen to such an attack, so we know the desire for malicious
vandalism is there. Yet, for the most part, Linux/Apache servers
remain largely untouched, Linux machines are not zombified en
masses, and to date no one has figured out a Linux virus that
works.

I should be fair and mention that some of these cracks happen
regardless of OS. User error (not patching, not firewalling, etc.)
leads to problems on any operating system. Here, the solution is at
once both technical (don’t make it so easy out of the box to get
oWn3d) and educational (train users which practices are Good and
which are Bad). I think Linux users typically have always had an
advantage over Windows users in this education, because using Linux
makes a person more savvy right out of the gate.

I will not get into the argument on how sponsorship of a study
automatically infers a bias. Other writers have covered that in
this past week, and I see no need to rehash. Just once, though, I
would love to see a review from Consumer Reports or some other
truly independent organization. But even then, a system can be made
more or less secure depending on the user’s actions, so such tests
are debatable.

Corporation after corporation are moving to Linux, so much so
that a shift in news coverage is starting to happen. Linux
migration stories are becoming old hat these days. The new
cutting-edge stories are the Linux-to-Windows migration stories.
Think about that for a second. When was the last time Microsoft put
any real publicity out about someone implementing one of their
solutions? When OS/2 was up and coming? When they were moving out
onto the PC? Now, it’s news again when Windows gets a win.

I think this voting with dollars will be the final determinant
of which OS is more appealing, more secure, and most
cost-effective. And, in any campaign where the lead seems to be
slipping, the real or imagined flaws of the up and coming opponent
are always good fodder. But eventually, the truth will out.

[Enter bright sunshine, chirping birds (or more fire and mayhem,
if that’s your bag)]