Bog Roll ::

It's Not Magic, It's Work!

26 Apr 2009

Linux Has No Viruses Because It's Secure - Says Microsoft Man...

Microsoft security expert Roger Grimes says in his blog that being different doesn't make you secure, or at least there is nothing wrong with a monopoly. He is right that just because you are different does not mean that you are automatically safe but the rest of his argument is weak.

He is arguing that if you have a monopoly that doesn't make you insecure because everyone goes for you. What makes you vulnerable is you write poor code. He has a point in as far as it goes, but for years we have known from game-theory and biology that monoculture are more profitable targets than diverse systems and hence there is more pressure to find weakness in them, which once exploited can cause chaos.

We know that the number of defects are directly related the the size of the code base and the complexity of the system. Windows has more lines of code and is an intrinsically more complex operating system than Linux, Unix and Mac OSX, therefore Windows will have more bugs in it.

Windows tends to be run by people with little or no security training and therefore tends to run in the default state. As we know that by default Windows is less secure than Linux, that make Windows more vulnerable. Both can be made a lot more secure with proper configuration and both can be made very insecure...

The various Linux/Unix systems are all subtly different from each other. Sometime this can be annoying but in a security scenario it makes each attack on them subtly different, which puts the crackers off a tiny bit more.

The result is that:

  • Window is big and complex,
    • therefore more bugs.
  • It's all the same,
    • therefore it's a single target to aim for.
  • It's usually badly set up,
    • therefore easy to attack.
  • There are more Window desktop than anything else,
    • therefore very profitable.

It's not surprising that over 99% of all viruses are exclusive to Windows systems.

He is arguing that Microsoft products gets the most viruses because they are insecure and the Linux gets less because it's safe, which is the opposite of the normal Microsoft position of the "we are the most common so we get the most viruses" argument.

The truth is that security is not a single dimension problem. You just can't make sweeping statements and generalisations without looking at all the facts.