Love 'Em To DeathLove 'Em To Death

Is it possible that the yawning security gap between Windows on one side, and Linux, OS X, the BSDs, Solaris, and their cousins on the other, has less to do with technology than with sociology?

Crackers, con artists and malware writers, the theory goes, like most adolescents, are more interested in showing off to their friends, and in impressing the "in crowd," than in doing their own thing. The result: Two generations of technically gifted sociopaths flocked to Windows--and proceeded to tear its guts out--for the same reasons teenagers spend every Friday night screeching up and down the same few blocks of city street in their parents' borrowed cars.

It's an interesting idea, as long as you don't push it too far. It's also consistent with human nature: Consider the prospect of a genuinely challenging attack on a Linux, OS X, Solaris, or some other Unix-ish platform, braving hazards that range from the mundane (properly configured firewalls) to the murderous (the wrath of admins who are just like you, except with longer and more interesting criminal records). And even if you succeed, there might not be anyone around to admire your handiwork.

Now consider the prospect of waking up late, enjoying some coffee while you slap a rootkit on every unpatched Windows XP box in town, transforming some company's file server into an imitation of Whoville after a Grinch visit, and defacing a half dozen Web sites with pictures of Andre the Giant--all before happy hour, and all the while knowing that your work will get a large and appreciative audience.

The choice was never that simple, of course. And for years, pundits warned that if Linux or any other open-source platform got what it was looking for--mass-market success and respectability--we would see just how much damage enough script kiddies, pounding away at enough computers, could do once they turned their attention-seeking tactics on a fresh target.

Earlier this week, the Sans Institute released its quarterly report of the top Internet security vulnerabilities. At the end of each year, Sans assembles all of these reports into a single Top 20 list--a software security Rogues' Gallery that inflicts more losses every year, due to damage, theft, downtime, and opportunity costs, than the average Florida hurricane season.

It's not the kind of place where you like to see the name of your favorite operating system--and according to Sans Institute director Alan Paller, this quarter's software security list shows that the bad guys are out to give Microsoft some unhappy company.

"Hackers haven't stopped attacking Microsoft products," Paller stated, "but they've started attacking everything else as well,"

"Everything else." I briefly envisioned burning skyscrapers, streets jammed with wrecked cars and rubble, and dazed survivors waiting for marauding bands of triumphant Apes to finish the job--all because some snippet of bad code slipped through the Open Source Million Eyeball Army.

Then I see the Sans Institute's actual list. It turns out that "everything" can sometimes mean "not much," and this is one of those times. Seven of the 12 vulnerabilities the report lists are specific to Microsoft operating systems, servers, or everyone's favorite Twins of the Apocalypse, Internet Explorer and ActiveX.

The other five top flaws are application-specific and cover multiple platforms; one of the five is actually a three-for-one deal that covers iTunes, WinAmp, and RealPlayer. None of the vulnerabilities involve either the Linux kernel or Darwin (the command-line core of OS X), and only the media player exploit is likely to pose more than a theoretical threat to desktop users, the group most likely to mistake foolish behavior for sound security practices.

Does this shoot down the idea that any operating system is only as secure as its ability to escape the notice of crazy people who know how to program in C? That all depends on whether Linux, or OS X for that matter, has crossed that invisible line beyond which a platform's popularity, visibility, media buzz, application support, and smug users will begin to attract a critical mass of Geeks Behaving Badly. Personally, I was ready a few months ago to assume that, even with Microsoft's less-than-stellar reputation among career computer criminals, both Linux and Mac users should begin to see more unwelcome gifts that were once addressed exclusively to their Windows-based neighbors.

Yet as far as I can tell, it simply isn't happening. Instead of an unmistakable trend--the kind of trend that would send sales of Linux anti-virus software soaring by orders of magnitude--all I see are eddies in the data stream that may or may not suggest there's a monster lurking under the surface.

Do my impressions match all of yours? Have you come across any statistics that, as far as you're concerned, settle the question of whether platform security can survive a few years of legitimate mass-market success? And is Linux, or any other non-Windows OS, popular enough to put this theory to the only test that matters?

Send me what you have, and tell me what you make of it--and if the pieces fit together, we can all gawk together at whatever turns up.

Matt McKenzie is editor of Linux Pipeline. A permanent link to this article is available here.