Security is an important issue. Software users have been bitten by enough
security incidents now that they are beginning to really think about
whether a system they are considering deploying is sufficiently secure or
not. As a result, software vendors are beginning to feel some heat from
their customers on security. Among other things, security concerns have
led directly to two new initiatives from Microsoft: the payment of bounties
on information leading to the arrest of virus authors, and (apparently) an
upcoming publicity campaign which will try to demonstrate that Microsoft
products have a better security record than Linux.
Strangely enough, neither of those efforts will make Windows more secure in
any way. But they will raise the stakes with regard to security issues.
We should expect that, in the future, Linux-related security problems will
receive much more attention than they have in the past. If Microsoft is
out to prove itself more secure than Linux, it certainly will not waste any
PR opportunities resulting from Linux vulnerabilities.
There are many implications to note from an increased emphasis on the
perceived security of software products. Both developers and users of free
software will want to redouble their efforts to tighten up security. The
free software community may be better at the creation and deployment of
secure software than just about anybody else, but our record is still far
from good enough.
There is nothing new in the statement above. But consider for a moment the
recent attempt to insert a backdoor into the Linux kernel. There is no way
of knowing who was responsible for that attack, but it is worth
thinking about who might have benefitted from it. The attempted back door
- which did not enable remote attacks - would have been more useful for
publicity than for actual exploits. Somebody wanted to be able to
say that a vulnerability had been successfully planted in the Linux kernel.
Any company with an interest in attacking the security record of free
software - and there is more than one such company - would have gotten great
mileage out of this kind of demonstration.
It is safe to assume that there will be other attempts to insert malicious
code into free software releases; a high level of vigilance will be
required to detect and defeat those attempts.
The public perception of the relative security of operating systems has
become an issue that means real money to the companies involved. When free
software starts to eat too far into its competitors' bottom line, those
competitors can be expected to fight back. Not all of them will choose to
fight fairly; a quick look at the SCO case will verify that fact. Without
giving in to absolute paranoia, we should expect the debate around security
issues to take on a harsher edge. Things could get interesting, but this
is a fight we should win decisively by doing what we always do: developing
the best software we can with our users' needs in mind.
to post comments)