[Nolug] Security and popularity (was Re: Unix and virus protection)

From: Mark A. Hershberger <mah_at_everybody.org>
Date: Fri, 11 Jul 2003 14:40:13 -0500
Message-ID: <87k7aoam3m.fsf_-_@mah.mcdermott.com>

Dustin Puryear <dpuryear@usa.net> writes:

> As I've noted on general@brlug.net before, Evolution is quickly
> becoming the Outlook for Linux for good or bad.

The question I see is not "Are there existing exploits for Evolution's
bugs?". The answer to that is "Of course!". The question I see is
"Are those exploits being used and are they causing damage?". As you
said, "there have been exploits for Elm and Pine". Here is the
breakdown as I see it:

  * All Software has bugs.
  * Virus writers want notoriety, not obscurity.
  * Virus writers will choose popular software instead of obscure
    software to write their malware for.
  * Windows is more popular than Linux.
  * Outlook is the most popular MUA on Windows.

Thus:

  * Outlook has a lot of viruses written for it.

Consider that Eudora has exploitable bugs[1], but, as we've seen in
this thread, it remains a safer choice than Outlook because it isn't
as popular. Outlook's popularity (driven, in part, by the popularity
of Exchange) means that most virus writers will use it.

Of course, we'd like to think that Linux is immune to this kind of
thing (exploits, that is. A lot of us wish it weren't immune to
popularity), but there are still bugs that can be exploited. Even on
UNIX/Linux, a lot of programmers don't care about security[2]. Now
consider:

  * Evolution is probably the most popular Linux MUA (among new
    users).
  * Linux growth on the desktop is slow.
  * Virus writers still don't have a large userbase to exploit on
    Linux.
  * The Linux/Evolution userbase is even smaller because most old
    Unix hand already have an MUA that they like.
  * Evolution and Linux still have bugs.

Thus:

  * Any viruses that get written for Evolution are just proof of
    concept. The real virus writers don't care about Linux.

Hey, if the Emacs/Gnus combination were really popular, there would
be exploits for it. It ain't popular, though, so I'm quite safe from
anyone who hopes to gain notoriety from writing a virus.

Don't think for a second that you are safer simply because you are
running a UNIX-like OS. There are plenty of exploitable bugs and
plenty of exploits. You can make yourself safer by choosing less
popular combinations of software (e.g. using Debian instead of
RedHat), but Linux, in and of itself, does not mean you are immune to
the whims of the virus-writers. Sendmail used to be the only MTA out
there. And, in 1988, we got to see the consequences of that[3].

Yes, I believe security is important. But, this is a "worse is
better"[4] world and the most popular software is written by
programmers with a "worse is better" mindset. They've got some code
they want to hack or a job that's been given to them. 9 times out of
10, their focus is *not* security. It'd be nice if we were all as
obsessed with security as D.J. Bernstein, but, c'mon, we've got real
work to do here.

Mark.

Footnotes:
[1] http://www.google.com/search?q=site:www.securiteam.com+eudora

[2] http://mah.everybody.org/weblog/archive/80614226

[3] http://world.std.com/~franl/worm.html

[4] http://www.jwz.org/doc/worse-is-better.html

-- 
As long as you have mystery you have health; when you destroy mystery
you create morbidity.			     -- G.K. Chesterson
___________________
Nolug mailing list
nolug@nolug.org
Received on 07/11/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST