Slashdot Reply | re: Not really

leave a comment »

Good to hear from you Symbolset.   Thanks for your post here.   Here is why I’m replying on my blog.

I should have been a bit more specific. By "Linux" I mean on the client.   I should remember to qualify this when I mention "Linux" and "Windows". 

Linux indeed has a huge presence in the server space.  In April of 2009, Netcraft said here that Apache had a 46.52% share and Microsoft a 37.59% share.   By November 2009, Netcraft said here that Apache had 55.32% and Microsoft 18.98%.   Even at 18%, I don’t think its fair to say that "Linux runs the internet".  Linux is sure important, and has a commanding share, but Microsoft servers play a significant role.  Not just on the web front ends, but on the database back end as well.  I suspect that (not counting spam) a significant portion of internet email is form exchange servers.  Note, I suspect that the significant drop in share from April to November of this year is due to scads of business dropping off line due to the crappy economy. 

Also, you seem to be implying that Linux based web servers don’t have security bugs – the do.  The Linux and Apache guys also fix them.  Just like Microsoft.   So, I must say that “Linux runs the internet” is merely  attractive hyperbole.   Also, Cisco likes to think that IOS runs the internet.  I think they would disagree with you there as well, though I confident  Google would support you.

The issues are dramatically different for servers and clients.   IT Pros will install and run servers.   If worth their salt, they will secure their servers.   To the first order, both Windows and Linux servers are not at all difficult to keep relatively secure – best practices for both are widely understood.

Also, the slammer worm was almost 7 years ago on …. it might help your case to use a timely argument.  Linux and Windows are both very, very different than they were 7 years ago.

A more timely example is the SSL protocol flaw which affects Microsoft and Apache (Linux) with equal impact.

With respect to the client OS.  Windows 7 was your idea (<grin>).   The AutoRun behavior has been dramatically changed for W7.  See this, and this.   (difference between AutoRun and AutoPlay here).

Now if you want to argue that any type of AutoPlay feature and AutoRun for optical media is a security "flaw" then ok.  I would agree from the most paranoid of views, it is less secure than the complete absence of such a feature.  But I argue that the optical media vector for malware is tiny, tiny, tiny.  So tiny I’m not sure its measurable.   

You seem concerned about CD and USB keys that mailed to people and left in places like men’s rooms.   Is this a problem of any significant size?  Do you have any data for that?   Note, I’m not being skeptical here – I really have no idea and would love to see some data.  Note, anecdotes don’t count.  There are millions and millions of windows-7 PC’s out there already.  Something odd is bound to happen form time to time.   But this can hardly be anything but a truly anecdotal issue  if not urban legend.

I’d argue that no amount of “security” will protect anyone foolish enough to run software form some random USB key or optical disk they find in a men’s room or other public location.   People that do that are just… well, stupid.  The presence of, or lack of, an easy to use dialog box that pops up on device insert isn’t going to make any difference here.

Now, with respect to what I’ll call the footprint argument – the one that suggests Linux client would be more vulnerable if the market share ever becomes sizeable.  Right now, this is impossible to prove.  We won’t know unless Linux gets out there with a market share that makes it  a target for malware money.  

I’ll stick with a car analog here :)   The situation is kind of like the most stolen cars.    Just because a car is on the top 10 most stolen list doesn’t mean those cars are insecure – it just means that those cars are where thieves will make the most money – usually in selling parts.

Ok, so some of these cars are pretty old, like the 1995 Honda Civic – its not “insecure”, but its not modern either.   Kind of like XP SP2.

There are newer cards on the list as well like the 2001 BMW M-Series on this list.   Or the Acura Integra on this list, or the Nissan Silvia on this list. { note, i tried to find more recent 2009 data… but this slightly older data makes my point I think… }

But as this article says, these newer cars have security devices and other things to prevent theft

Because Integras are so popular among car thieves, Acura manufacturer Honda started equipping Integras with passive immobilizing antitheft devices beginning with 2000 models. Results for 2000 Integras do show a decline in theft claims to 16.8 per 1,000 insured vehicles per year, compared with 25.0 for 1999 Integras. But the claim frequency has climbed back up to 21.6 for 2001 models.

"Immobilizers are thought to be more effective in deterring amateur thieves than the professionals," says Kim Hazelbaker, HLDI senior vice president. "Theft investigators believe that Integras are targeted by professional thieves for their parts and that many of those parts, like the more powerful engine, end up on modified Honda Civics."

drjones96 says something similar here on this thread.

I always thought it was just an indicator of how easy they are to steal.
For example: #5. The Chevrolet C/K 1500. (1994)
The reason for this is that pre-1995 the steering columns were pretty old-school. It was pretty damn easy to hot wire them. After that they completely redesigned the column to make them harder to tamper with. Also the doors were very easy to unlock with a slim-jim.
The parts were in high demand because some items like the doors, hoods, grills, fenders, etc were compatable [sic] not only with the other trucks in the line but also the Tahoe and Suburbans. And they are still in relatively high demand because of how long that body style ran. I can’t remember but I think it was 10 or 12 years or something. The major body panels didn’t change a bit in that time.

Now, people can certainly choose to buy a care that has a lower theft occurrence like a Ford Taurus from this list.   But they are simply avoiding the problem by not buying a frequently stolen car, not by buying a more secure car.

I suggest that the contrast between Windows (Win77, Vista XP-SP) and Linux is very similar to the automotive analogy.

Windows is a high value target.  The ability for criminals to make money from Windows targeted malware is way, way higher than for Linux.  I think this holds true for OSX as well.

How about this analog for you:  Linux users are like the security paranoid guy that buys a ford Taurus and lives in Austin.

While Windows users are like care free  urban dude who drives a BMW M Series and lives in Miami.  These guys probably need to have a Lojack.

I think its safe to say that the vast majority of Linux client users today are technical people that are not nearly as susceptible to action foolishly as normal consumers and business users.   In terms of numbers (footprint) and desirability – they simply are not a target of malware writers. 

But, If Linux ever gets a more “normal population” (that can mean a lot of things) then Linux as a platform will face a new set of problems.  This isn’t because of some "flaw" or "problem" in Linux, its just reality.  Its bound to happen.

Some of these problems will be the distributions themselves and some with key components like KDE and GNOME.  In their eagerness to provide familiar features – like on Windows or OSX, they will do things to make Linux easier to use – sometimes these things will be less than ideal from a security perspective.  

As the code base in Linux distributions, then so will its attack surface.  This just isn’t the core Linux components themselves, but the photo viewers, email programs, blog editors, media players, and other raft of software that distributions and OEM’s will add to their Linux images.

Don’t laugh – people are already complaining about this.

Your comments about application complexity makes my point.   Apps are complex.   For example, all productivity apps today (Microsoft apps, Open Office and many others) all support embedded images (cite for OpenOffice), videos, and content from other apps.  They also all support Macros (cite for OpenOffice).  Some (like Adobe file formats have embedded JavaScript).   These OpenOffice examples are things I find with simple Bing searches.

These kind of things have been a table stake of this kind of app for 20 years.  It goes all the way back to WordPerfect – probably even earlier.  You must level the application criticisms not just at Microsoft, but at all apps that do this.

As an side, you mention font render bugs that cause elevation of privilege.  Do you mean like these  here (2009), here (2007), and here (2003) – each on non-MSFT products?   I’m not trying to criticize these non-MSFT products.   Everything can have security bugs.    The point here is that the criticism you level is valid at some level – but certainly cannot be leveled at Microsoft alone. 

Now, don’t assume I’m suggesting Windows is perfect – it isn’t.   The AutoRuns change in W7 is a good example of something that needed to change and we changed it for the better.   We do this, Apple does this and Linux distros do this.  Stuff gets better.  Just like the cars mentioned above

You mention the network port thing again.   This is interesting and I’ve sent some mail and talked to a couple of people about it.  I hope to have some comments for you on that topic soon.

Lastly, your comment here is interesting:

Did you know that the Windows Malware ecosystem is in dollars actually far larger than the Windows market? I thought it odd too, but if you count time and money lost, development and marketing and sales on both sides (attack and defense), hardware and services, it’s not even close. Maybe you’re on the wrong side of the business.

Can you site a credible source here?  That’s a mighty big claim and it would be good to point at a source of solid data to substantiate it.  

I can’t seem to find recent public numbers, but in 2008 Windows was about $16.8 Billion in gross revenue (cite).    I find it a little hard to believe that the “malware ecosystem” even approaches $16 billion let alone is “far larger”.  That would be a really big number.  what does “far larger mean”  That’s super vague – but sure sounds impressive.   I may be wrong, but forgive me for being skeptical.    

In any case, this post is long enough and I’m sure it gives you plenty to respond to.   I look forward to it.

Best regards,

– please overlook any spelling and grammar mistakes… its late and I’m a terrible proof reader…


Written by foredecker

December 9, 2009 at 5:24 am

Posted in slashdot

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: