Linux 2017: With great power comes great responsibility

Linux and open-source software now run the world and that means we need to work harder than ever to make sure it's trustworthy.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

In 2016, Linux turned 25. When it began, it was a student project. Today, Linux runs everything. From smartphones to supercomputers to web servers to clouds to the car, it's all Linux, all the time.

Linux must be secured.

Locking Linux down from attackers is becoming an ever more important job.

Even the one exception, the end-user, is moving to Linux. Android is now the most popular end-user opearating system. In addition, Chromebooks are becoming more popular. Indeed, even traditional Linux desktops such as Fedora, openSUSE, Mint, and Ubuntu are finally gaining traction. Heck, my TechRepublic Linux buddy Jack Wallen even predicts that "Linux [desktop] market share will finally breach the 5-percent mark".

Of course, end-users have always used Linux. They just didn't realize that almost all popular websites and many software-as-a-service (SaaS) applications run on Linux.

Even Microsoft has finally gotten the Linux religion. I mean, just last year Microsoft joined The Linux Foundation.

So with everything going so right with Linux why am I concerned? Because now every hacker who's really a hacker and not just some script-kiddie is coming after Linux and other open-source's code, hunting for vulnerabilities.

True, as open-source leader Eric S. Raymond pointed out years ago in Linus's Law, "Given enough eyeballs all bugs are shallow". This is one of the key concepts that made Linux the success it is today and which empowers open-source software.

Linux turns 30: The biggest events in its history so far

But it only works if there are enough eyes looking for bugs to fix the code. Estimates on the number of errors per thousand lines of code (KLOC) range from 15 to 50 errors per KLOC to three if the code is rigorously checked and tested. The Linux kernel alone now comes to over 16 million lines of code. Do the math.

In 2016 alone we saw two major Linux security holes briefly pop open. These were in a script calling on LUKS disk encryption and Dirty Cow, a Linux memory problem. There were other less important Linux bugs as well. To Linux's credit, these problems were fixed almost as soon as they appeared.

When it comes to fixing problems quickly, Linux's track-record is far superior to that of Apple, Microsoft, or any other proprietary software vendor. But let me do the numbers for you. That leaves at least not quite 3,000 bugs to find and fix.

There are many top Linux security developers and they're busy hunting down these bugs. There are instructions on how to report bugs when you find them. But there are never enough programmers around to fix even the reported bugs.

As Linux leader Jon "Maddog" Hall wisely observed a few years back:

Some people argue that Free Software has 'unlimited' resources. Every product or project is limited in resources in one way or another. The number of people who can work on Free Software, and particularly one piece of software is limited by the people with the skill, time and inclination to contribute. But what Free Software does have is the ability of the end user to escalate their own bug fix in 'criticality,' by seeking out their own resources to fix the problem if the developers do not have the time or inclination to fix it.

When he wrote that in 2009, many Linux users were still programmers. That's no longer the case. Yes, many developers use Linux, but there are hundreds of millions of Linux "users" who couldn't tell you the difference between Java and JavaScript, never mind fix a bug.

At the same time, hackers have more reason than ever before to try to crack Linux. Irish developer Donncha O'Cearbhaill, who recently uncovered a pair of Ubuntu desktop bugs, reported he received an offer of more than $10,000 from an exploit vendor for these Apport bugs. "These financial motivators are only increasing as software gets more secure and bugs become more difficult to find," he said.

That's small potatoes. If someone finds, say, a Linux bug that could encrypt data on a server, I can easily see six-figure ransomware -- malware that encrypts and scrambles data, allowing hackers to demand payment for the key -- demands. A recent study from IBM Security suggests nearly 70 percent of business victims are already paying ransomware hackers to recover data.

With tremendous potential payouts, Linux will be subjected to more hacking attempts than even before. Linux has gained great power; now its developers and vendors must step forward and take the great responsibility to maintain its security.

Related Stories:

Editorial standards