Security and the popularity factor

Monday, 17 Jan 2005

When faced with the fact that there are many more attacks on their system than on Linux, Windows advocates typically deflect the argument saying that Linux would suffer just as much if it was just as popular.

This is easily countered:

First of all, Linux is is popular. It might not be so visible, but more servers on the internet run Linux than any other system.

Of course, it should not be forgotten that Linux boxen used to be cracked within a short time of being connected to the world, on the order of a few days as recorded by The Honeynet Project. Linux was less popular back then than it is now, yet it was still a popular target. At the time, some notorious software projects and distributors alike were often ridiculed for their lack of secure defaults. (Sendmail, RedHat and Suse come to mind.) This is pretty clear demonstration for the fact that a relative lack of popularity does not reduce the barrage of attacks in and of itself.

Paradoxically (or so it might seem), while the popularity of Linux on the desktop has exploded, The Honeynet Project is finding that unpatched Linux boxen will now sit on the ’net untouched for months. A number of people (Bruce Schneiner being among them) have recently commented on the fact.

I believe what happened here is part security and part obscurity.

There has been considerable pressure by users and the press on distributors to harden their products. This was effective: all major distributions come with tight defaults that reduce security problem potential out of the box. Many libre software projects have worked on security. As a result, a random Linux box is nowadays much more resilient than a few years ago. That does not mean Linux is invulnerable – far from it. Badly administrated Linux boxen should be considered as much a risk as ever.

However, attackers nowadays typically want to build farms of compromised systems with large aggregate computing power and bandwidth. Despite the growing absolute and relative numbers of Linux machines on the ’net, Linux security has gotten so much better than Windows security that Linux has dropped off the radar for this purpose. The resources required to crack a Linux machine yield much greater results if invested in cracking Windows machines. The product of platform insecurity multiplied by the popularity of the platform is so much larger for Windows than Linux that the latter just isn’t interesting.

This means we would see a rise in attacks on Linux in two possible (though not equally likely) scenarios:

In short – the Linux vendors have done their part to make the ’net a better place. We’re looking at you, Microsoft.