Chaz Meyers on 24 May 2011 12:21:47 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Microsoft's many eyes?


On Mon, May 23, 2011 at 10:55 PM, Stephen Slaughter <steve2slaughter@gmail.com> wrote:
seems like I rattled a few chains with my last post; this was not my
intent. Please do not direct any frustration at me- I am just a novice
Linux user trying to learn more these systems.

Question: do you think we would see a greater proliferation of malware
and exploits for Linux systems if they served a greater portion of the
PC market?

Would there be more hostile software targeting Linux if Linux were more popular? 

Probably. It's hypothetical so it would be impossible to give a definitive answer, but it seems likely to me. Even if Windows and Linux had no exploitable bugs, malware would still thrive because enough people use their computers in an unsafe manner.

In Windows, that means that a huge number of people use an administrative account for day-to-day tasks. If a program does something awful to your computer and you run it as Administrator, it doesn't need to exploit any bugs. It's working as intended.

Linux has a better model because usually people don't walk around as root and have to su/sudo to do dangerous things. However, if all Windows users suddenly switched to Linux, I'm confident that malware would be written for Linux that calls gksudo and enough people would blindly enter their password and click OK without reading or thinking about what they are doing. It's what they've been trained to do over the past 15 years when a scary dialog box comes up. 

Maybe I'm a pessimist. 

 I noticed the Android platform has been exploited in
certain ways (authentican token sidejacking comes to mind, although
this is more of a broswer issue I suppose).  I'm just curious if the
ubiquitous cliche about Linux's alleged superiority in terms of fewer
bugs, better security, and more code review is true?

Asking whether Linux is more secure than Windows is a much more reasonable question than whether open source software is categorically more secure than closed source software.

The former would still be tricky to prove. What's your metric for security? Is it the number of discovered exploitable bugs, perhaps weighted by how long the bug was out in the world with no fix available? "Windows" includes a lot more than a kernel, so are we just counting kernel exploits or do we get to count bugs in X11, GNOME, xft, Firefox, and other software to make it a fair apples-to-apples comparison? Each of those subjective questions would have to be answered by anyone doing the sort of analysis you describe and could bias the conclusions reached.

The later question, I think, would be far more difficult to answer because of how much variation there is between different projects. If I publish horrible code that no one reads or uses, does that count against FOSS? Does an exploit in vim hold as much weight as one in OpenSSL?  Is it fair to compare IE6 in 2005 to Firefox in 2005 even though IE6 was for all intents and purposes an abandoned project at that point? If so, can we compare abandoned OSS projects to closed source projects? If you can prove Firefox has more brilliant people reading code than IE and IE has more brilliant people reading code than Konqueror, what does that say FOSS vs closed source and who attracts the most eyes?

I'm not sure there are enough projects out there that are similar enough in terms of functionality, manpower, and relevance to do an impartial analysis that generalizes over all software. I imagine the result of any such effort would end up being highly anecdotal.

- Chaz Meyers

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug