The role of popularity in security

A lot of Linux destop users seem to be under the impression that they are safer from exploits simply because they are running Linux. They seem to believe that software written for Linux is just going to be better. Fact of the matter is, most programmers are still human. And, programmers as a whole couldn’t care less about security.

The question I see is not “Are there existing exploits for Evolution’s bugs?”. The answer to that is “Of course!”. The question I see is “Are those exploits being used and are they causing damage?”. As you said, “there have been exploits for Elm and Pine”. Here is the breakdown as I see it:

  • All Software has bugs.
  • Virus writers want notoriety, not obscurity.
  • Virus writers will choose popular software instead of obscure software to write their malware for.
  • Windows is more popular than Linux.
  • Outlook is the most popular MUA on Windows.

Thus:

  • Outlook has a lot of viruses written for it.

Consider that Eudora has exploitable bugs, but it remains a safer choice than Outlook because it isn’t as popular. Outlook’s popularity (driven, in part, by the popularity of Exchange) means that most virus writers will use it.

Of course, we’d like to think that Linux is immune to this kind of thing (exploits, that is. A lot of us wish it weren’t immune to popularity), but there are still bugs that can be exploited. Even on UNIX/Linux, a lot of programmers don’t care about security. Now consider:

  • Evolution is probably the most popular Linux MUA (among new users).
  • Linux growth on the desktop is slow.
  • Virus writers still don’t have a large userbase to exploit on Linux.
  • The Linux/Evolution userbase is even smaller because most old Unix hand already have an MUA that they like.
  • Evolution and Linux still have bugs.

Thus:

  • Any viruses that get written for Evolution are just proof of concept. The real virus writers don’t care about Linux.

Hey, if the Emacs/Gnus combination were really popular, there would be exploits for it. It ain’t popular, though, so I’m quite safe from anyone who hopes to gain notoriety from writing a virus.

Don’t think for a second that you are safer simply because you are running a UNIX-like OS. There are plenty of exploitable bugs and plenty of exploits. You can make yourself safer by choosing less popular combinations of software (e.g. using Debian instead of RedHat), but Linux, in and of itself, does not mean you are immune to the whims of the virus-writers. Sendmail used to be the only MTA out there. And, in 1988, we got to see the consequences of that.

The reality is that security is an unimportant part of most projects. This is a “worse is better” world and the most popular software is written by programmers with a “worse is better” mindset. They’ve got some code they want to hack or a job that’s been given to them. Nine times out of ten, their focus is not security. It’d be nice if we were all as obsessed with security as D.J. Bernstein, but, c’mon, we’ve got real work to do here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.