Sunday, April 16, 2006

The Attack Paradox: Why Windows Is Safer Than Linux

Mac Malware Door Creaks Open

Having been married for a while, I usually try avoid "I told you so" because it's not a very effective way to build good will. Nevertheless, I have been saying for two or three years that when/if the open source and Mac OS X operating systems get more market presence, they are going to be attacked and exploited. I have often challenged the rabid SlashDot claims that Windows is inherently insecure and OS' like Linux, Unix, Mac OS and Solaris are inherently more secure. When I have done so on slashdot, I've been eviscerated with lots of open source groupspeak, stale talking points and lots of arrogant passion but not a whole lot of balance, fairness or reason.

Probably my best commentary on this debate can be found at [ My Authoritative Perspective - Which Is More Secure? ] In this article, I argue that while it is true that software manufacturers have a responsibility to write secure code, it is also the responsibility of sysadmins to keep their workstations and servers updated. When considering attacks by known viruses, the systems that are affected are systems that have not been updated. This is not Microsoft's or Linux's or Mac OS X's fault.

What delights me about the linked article about Mac malware is that it supports what I've been saying: I don't believe that one OS is more secure than another. And, I have also stated what I call the Attack Paradox: The fact that MS has been so vigorously attacked over the years actually means the Windows platform is more secure than others because its weaknesses are identified by hackers and patched by Microsoft. This then diminishes the attack opportunity for Windows. This is a concept that is hard to conceive at first: how can a platform that constantly has security issues be more secure than one that doesn't?

Windows and IE are the primary targets of exploits. Each time Microsoft is successfully attacked, their programmers develop patches to fix the weakness. This provides two opportunities that would't be available had the successful attack not worked: 1.) They get better insight into their code, their coding methodology and their supporting frameworks; and 2). they gain more and more insight into the pathology of the hacker. This knowledge helps inform their coding subsequent to the attack. Platforms that aren't as vigorously challenged because they are not as ubiquitous as Windows unquestionably have as-yet-discovered weaknesses but the absence of frequent attacks means the open source programming team isn't learning as much valueable information.

I predict that Linux and Mac OS will be proven to have many as-yet unexposed security issues. As hackers become more interested in Macs and Linux boxes, we will see a sharp rise in the the number of exploits developed for these "inherently more secure" OS'.

Until that happens, the Mac malware article seems to support my opinon that Anything-But-Microsoft-Operating-Systems are not inherently more secure. The Linux development model does not channel the talents of its programmers to produce inherently secure code.

I told you so.