Xblog

Here’s the problem with harping on the security button when advocating Linux. First of all, consumers, for the most part, don’t care. You know why most software is provided “as is” with no warrantee? Because consumers would prefer that to a product released years later, with fewer features, and much greater cost. Let’s just say for a moment you win that battle, and in a post 9/11 world, you manage to convince them that security should be their first priority. Well then, the designers of competing software, particularly Windows, would simply shift resource allocations and product priorities accordingly, and within a surprisingly short period of time the Linux world would find itself falling behind the massive software juggernauts of the world, for they are, if nothing else, responsive to changes in customer expectations. In fact, we’ve already seen a glimpse of this with Windows XP SP2, which Microsoft pushed very aggressively despite not making a dime of revenue off of it. Let’s just say for a moment though that these big software juggernauts are too slow to notice the shift and have too much old crufty code to fix up to get the job done anytime soon. Here’s where the real can of worms starts to open up: what happens if people actually buy your argument and start shifting over to Linux en masse? Linux becomes preferred target #1 for hackers, and suddenly Linux starts falling victim to all kinds of nasty exploits (and consumers will be a lot more angry about this than they are about security problems with Windows, because you’ve made them more concerned about the issue and made the mistake of promising a product-based solution). I’ve heard people wave off this argument, but I think they fail to look at the raw data. There have been, over the years, a lot of remote exploits found in various distributions of Linux. Maybe not as many as have been found with Windows, but we’re within an order of magnitude here. Despite this, Windows has had easily a hundred times more instances of malware and security compromises reported. That should tell you something.

Now, don’t get me wrong, I feel more confident about the security of my Linux systems than I ever feel about any Windows systems I have set up. There are some good reasons for this. For starters, I know how Linux works a lot better than Windows. I know just enough about Windows to be really dangerous, but Linux I really understand. So, I can spot oddities a lot more easily, and I know a lot more about what needs to be done to secure, monitor, and respond to security threats on Linux. Admittedly, knowing and doing are two different things, but I have that problem with Windows too. :-) I’m also more confident about Linux because of the “process”. I know Microsoft has sophisticated processes for auditing code and finding bugs but I don’t know much about them so I can’t tell how much I can trust them. Linux’s open source processes are transparent and really do help minimize and mitigate security flaws. Finally, the Linux community tends to have a more sophisticated user base, which means they are more likely to have a proper security process in place, which makes Linux a less desirable target in the first place.

The biggest delusion I’ve seen in this regard comes form people who deny that there are any “real” security holes in Linux, because they’ve never had a compromised system. So first off, there are plenty of well documented cases where worms or other malware has been able to exploit security flaws in Linux. Secondly: how do you know you have never been compromised? Few people use tools like tripwire, rkhunter, chkrootkit, Nessus, etc. correctly, and even if you do, some rootkits are VERY good at hiding. The most insane counter to this point has been, “well, if I can’t observe it, is it really not a problem”. The “If a tree falls in the forest…” metaphor breaks down when your machine is used to stage a giant DDoS blackmail, a phishing scam, or a big spam dump. You may not observe it, but you can bet that somebody will someday, and you may find yourself at the wrong end of a criminal investigation, a lawsuit, etc. More importantly, exploited machines, loosely coordinated through a “botnet”, are probably the biggest security threat on the Internet right now. Just like a poorly maintained house in a neighbourhood, compromised machines drag down everyone in the neighbourhood (and unfortunately, on the Internet, the neighbourhood is quite large). Don’t be lazy: keep your systems patched.

This is why I am so irritated by “software freezes”. I’ve worked on more than a few projects where the attitude is “I know a new version of software X is out, but we’ve deployed with this old version and it is working for us so far… I don’t think it is worth the risk to upgrade to the new version. It might break things.” Sure, it probably will break things. To quote the agile software folks: embrace change. Repeatedly updating your software will teach you were you are making too many assumptions, where the underlying API’s are least mature, where your protocols lack backward compatibility, where you need to clean up your build and deployment process, etc. Sadly, by not embracing these changes, your software starts to ossify, and it becomes nearly impossible to contemplate platform upgrades. That becomes a huge issue when a new security flaw is discovered and you need to roll out a patch. Just expect to have to do an update every couple of weeks as new security flaws are discovered, take the hit with all the breaks that come from that, and the world will be a better place for all of us. I say this having worked at companies that are still running slightly patched variants of the software platforms they first launched with…. years ago. Updating is a huge mess for them, and I suspect whenever a new security flaw is discovered in their platform, all hell breaks out in the IT department.

Sadly, I think we’ve got enough of a botnet problem right now that the Internet could start to be a real ugly place. It’s time everyone recognized the mess and cleaned up their part of the neighbourhood.