LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)

RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)

Posted Apr 13, 2008 3:08 UTC (Sun) by rmunn (guest, #40618)
In reply to: RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb) by sbergman27
Parent article: RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)

If Microsoft turned into a pumpkin at midnight tonight, there is not a chance that *any* one OS would obtain such a level of dominance and generate another such monoculture. Not Linux. Not Apple. Not anyone.

I think I disagree mildly with you here. Commercial software developers love the current monoculture, because it means they can focus most of their effort on a single OS instead of going the more difficult route of writing cross-platform software. So even if MS went belly-up tonight, there'd still be pressure on the OS market to gravitate towards a small set of OS'es, or maybe even just one OS, as dominant players in the market. The other OS'es would suffer the fate of the Amiga, BeOS, etc. and slowly die for lack of software.

That's assuming, of course, that commercial software continues to play a big role in people's decisions about what OS to use. But much as I love the open-source world, I don't see commercial software going away anytime soon.

Still, you may well be right that no new monoculture would develop -- but I don't think that invalidates the point I was trying to make, which is that the raw numbers of "vulnerabilities being exploited" are skewed by the current monoculture. (Or rather, near-monoculture).

Consider: if you were a black hat and discovered, at the same time, a remote root-access exploit for Windows and one for the Linux kernel (so that it would work on just about any distribution), but it would take you about a day's work to write each exploit, which would you write first?

I was not trying to say "Oh, the only reason Windows exploits are so prevalent is because Windows is popular, and the weakness of Windows security has nothing to do with it." I think some people who responded to my comment thought that's what I was saying. No -- the weakness of the Windows security model does have a great deal to do with how many exploits target Windows. What I was trying to get across was that the current popularity numbers also play a role in how many exploits get written targeting one OS over another; and therefore with the current near-monoculture, raw exploit counts are not very useful as a gauge of security.

Re-reading Ford's comment, I think his "ease of exploitation" line was indeed talking more about how easy it is to break into Administrator level once an entry point has been found -- so my "that's just based on popularity" line may have been wrong. But he did say that "raw vulnerability counts really don't give you a good picture," so I think I've just repeated what Ford was saying, only I said quite a bit less with a lot more words.

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds