Open source gets results, while Microsoft blames malware on 'stupid users'

Open source gets results, while Microsoft blames malware on 'stupid users'

Summary: While Microsoft is blaming users and giving up on malware-infested machines, the open source community proves once again it can fix bugs faster than any one company, no matter how big.

TOPICS: Open Source

Two very different news articles crossed my desk today. First, there was a report that open source developers on 32 projects fixed 900 bugs in two weeks that were reported by an automated scan program from Coverity, sponsored by a grant from U.S. Homeland Security. Second, a presentation was given by a Microsoft security official who said that rootkits, phishing, trojans, spyware, and other forms of malware had gotten so bad on Windows that IT departments needed to come up with a fast way to "nuke the systems from orbit", i.e., wipe out the hard drive and start over. He goes on to say that phishing is a problem because "there really is no patch for human stupidity".

Suppose for a moment that popular open source systems like Linux or Samba were suddenly under the same wide ranging attacks that the proprietary Microsoft systems are under now.  What do you think would happen?

I predict that lots of people, all over the world, would get fed up and start fervently scanning for holes, first by hand and then by ever more sophisticated automated scans over the source code and analysis at run time. Lists of bugs would be created, reputations put on the line, and those lists would be pounced upon by some of the same people that pounced on the Coverity list.

While the problem would not be solved in two weeks, there would certainly be a heck of a lot of progress in a hurry, compared to the years of fixes that have trickled out of Redmond. Users are plenty fed up now, but what can even knowledgeable users do to help without the source code? Nothing.

What do you think? Which is inherently more *securable*, open source or closed source?

Topic: Open Source

Ed Burnette

About Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Give me a break, no one writes virii for Linux

    because no one uses linux.
    • And this is why

      [i]no one uses linux.[/i]

      Keep telling yourself that. I'm sure it's very comforting to you.

      On the other hand, maybe you should correct IDC. For some reason they think that buyers are spending over a billion dollars a quarter on Linux servers alone in 2005 -- if the growth is tracking the last few years, the Q1 number will be more like $1.5 billion.
      Yagotta B. Kidding
    • Here's a free break coupon

      Print and cut along the dotted lines
      | |
      | |
      | |
      | This Coupon Entitles |
      | You to: |
      | One (1) FREE Break |
      | |
      | |
      | |

      D T Schmitz
    • As I have said before

      You HAVE NO PROOF! ONLY anecdotal evidence. I see EITHER viruses are less common on Linux because 1) It doesn't "pay" to attack a small machine population or 2) It is HARD to attack Linux, and EASY to attack Windoze.

      I would tend to say that #2 is more significant than #1 - but they BOTH exist!
      Roger Ramjet
      • Viruses on Linux

        The fun of writing a virus is to see it proliferate. Its not just about the size of the user base - Acorn machines had a much smaller user base than Linux but still plenty of viruses. Viruses don't propagate through the Linux world because the methods for installing applications are different from Windows. In some ways a bit more hassle but perhaps its worth putting up with a bit of hassle in that respect for a major benefit. I think so so I use Linux.
    • I'd like to know - how would OSS put a patch in the *nix kernel for phising

      "He goes on to say that phishing is a problem because "there really is no patch for human stupidity".

      How exactly is a patch going to be developed for phising.

      Phising is when a web site look just like the original and prompts you enter your username, password and/or credit card #'s
      Normally they send you an email eg. please update your account information.

      Give me a couple of tips on how Linux would put a patch in the OS kernel for phising.
      • the above post was posted at wrong thread

        the above post was posted at wrong thread
      • Not a system problem

        This is not a problem in the Operative System!
        Any OS can have these problems, the only thing a user can do is use an e-mail client that does such as hard as MS Outlook, like thunderbird, that WARNS the user if links looks suspitious.
  • OPen source is secure???

    So then explain why it is that the vast majority of hacked and defaced web servers are *nix?

    How about all the banks and credit card companies being hacked, they to run *nix in almost all case.

    In fact, the ONLY place Linux seems to be adopted widely is on servers and that is where Linux is hacked daily. As to hacking Linux desktops? Not enough even exist to bother counting...
    • Not according to your source

      [i]So then explain why it is that the vast majority of hacked and defaced web servers are *nix?[/i]

      Your source says over 60% are MSWindows. If you separate all of the MSWin versions and lump together all of the Apache platforms, Apache collectively comes out ahead of any one MS platform.

      As they say, prevarication does not preclude computation.
      Yagotta B. Kidding
      • You're not talking about are you?

        Because today 84% of reported defacements were linux, 6% were FreeBSD and all of the Windows platforms grouped together totaled 9%.
    • LOL, way to shoot yourself in the foot

      Why do you think "the vast majority of hacked and defaced web servers are *nix?"

      "all the banks and credit card companies being hacked, they to run *nix in almost all case."

      Because they KNOW that *nix is SOOOOO far more secure than Windows.
    • Web servers are too easy to hack...

      All you have to do is make one mistake in your php (or whatever) code and voila, instant hole. It doesn't matter what OS or web server software you're using.

      I find it more perverse that just connecting a PC out of the box to the Internet or browsing to certain web sites or looking at certain mail or pictures can cause it to become infected.
      Ed Burnette
      • And if the server is

        properly hardened, i.e. running Apache in a [pre]chroot[/pre] jail, the damage from a flawed script or even a malicious attack is trivialized.

        Operator error or careless administration can't be blamed on the OS, whichever one it is.

        Besides, the article in question was about coding flaws, such as variables declared but not used, null pointers, writing beyond allocated memory, allocated memory not being freed, etc. I don't know where Axey came up with viruses ([i]virii[/i] is not a word) and web server defacing.
        Hugh Jass
        • The "virii" virus

          "Virii" is a common mistake; indeed, it is one which I myself have made. I think it's because some people look at it and how it sounds and assume that the plural would end in "i." Now, one "i" I could understand, but two of them?
          Third of Five
          • Virus - or viruses or viri.

            Maybe some Latinist can say what declension virus is in. If 5th it is virus singular and plural. Maybe safer to use the English 'viruses" !
    • Credit card companies being hacked?

      I read about a CC middleman company that had a PC stolen, and another CC company with a laptop stolen. Both were running . . . Linux? I doubt it.
      Roger Ramjet
    • Shape shifting

      Funny how you justify Redmonds incompetence with arguments like "Windows gets attacked more often because they have more market share", and then fail to recognize the applicability of the same argument to LAMP servers, which are at least a large plurality, if not a majority, of web servers...
      And as to "nobody" using Linux on the desktop, I do, and I've installed it on several dozen other machines for friends and family who are tired of paying the "Microsoft vulnerability/stupid-tax".
      But it'll be OK, No_Az, The M/S juggernaut will continue to suck enough victims into it's web that you will be able to continue to feel some sense of vicarious power, or importance, or whatever it is that you get from being a (unpaid?) M/S shill/fanboy.
    • Open Source

      Mr Grind,
      You state that Linux use on desktops is " not enough to bother counting ".
      Perhaps you should go to the Distributed Computing site Folding@Home latest figures where 1.5 million computers work on their project.
      84.7% MS Windows
      4.6% Mac OSX
      10.6% Linux
      If you can count you note it adds up to 99.9% (it's called rounding I believe )
      These are real world numbers, not from your fantasy one.
    • I'll call your strawman

      Firstly, if you note web defacements are far less common than malware infections per instance count. I.e. you only get a few websites defaced, a few companies/banks hacked compared to thousands (at least) of computers infected with malware. Part of this IS due to the larger count of desktops and servers verses server websites, admittedly, but there is at least ont other factor you are intentionally overlooking: settings (i.e., human error). It isn't the software neccessarily by default that is allowing the problem (though it may be), but the changed settings. Firewalls also fall under this issue of settings, and may or may not be running *nix. So, while settings isn't the sole secuirty hole, it is a significant one you intentionally neglect in a shaleless attempt to bash Linux, which isn't perfect, but has it's strengths, uses and benefits.