Logic and Reason

Another piece of FUD caught my eye: “Linux vs. Windows: Suspending logic and reason for blind faith“. The authour, Donovan Colbert, expresses outrage/amazement at the unreasoning adherents of operating systems in the security debate. He compares the “many eyes” of FLOSS versus the “security through obscurity” of non-free software. This is an old story but he dredges it up anyway.

His argument is that the many eyes feature is also a vulnerability since the bad guys can also see the code, not just the good guys. This is nonsense.

  • knowing the code is visible, the good guys will always pay more attention to security than coders of closed software. It’s like welding. An ugly weld is a bad weld. A pretty weld can be good or bad. Whom do you want making your welds? Guys who make pretty welds or guys who make ugly welds? That is easy to answer. Colbert doesn’t get it.
  • visible code will always be modular. That makes it much easier to isolate and to fix a vulnerability. Closed code can be a huge pile that no one knows how to fix because the guy who wrote it left.
  • a bad guy looking at good code is much more likely to realize he is beating a dead horse and go elsewhere. Bad guys are lazy. That’s the meaning of “bad”, not wanting to do an honest day’s work.

Colbert completely ignores the ease of finding vulnerabilities in bad code by automated means. Read about fuzz-testing and the like. Lose ‘9x exposed to fuzz-testing revealed tens of thousands of vulnerabilities. Estimates of bug counts in that other OS are staggering.

On rate of growth, Windows NT code volume rose 35% per year (implying that its complexity rose 80%/year) while Internet Explorer code volume rose 220%/year (implying that its complexity rose 380%/year). Consensus estimates of accumulated code volume peg Microsoft operating systems at 4-6x competitor systems and hence at 15-35x competitor systems in the complexity-based costs in quality. Microsoft’s accumulated code volume and rate of code volume growth are indisputably industry outliers that concentrate complexity in the periphery of the computing infrastructure. Because it is the complexity that drives the creation of security flaws, the default assumption must be that Microsoft’s products would have 15-35x as many flaws as the other operating systems.5

Would that complexity be allowed to exist if the source were open? I doubt it. The criticism would be unbearable. Better to hide it while selling useless features. Openness is like being able to lift the hood of a vehicle before buying it or taking a test drive. If you could do neither of these one would only make the purchase in an emergency.

You can bet FLOSS is more secure because the code is open. That does not mean there are no vulnerabilities but you will find that vulnerabilities in FLOSS can be fixed much sooner because the consequences of change are visible to all and everyone is watching.

If logic fails Colbert he should consider history. Those who ignore it are bound to repeat it. M$ shipped closed code and were ripped for a decade by malware. GNU/Linux has been exposed to the web for a decade and the majority of compromises have been inside jobs or weak passwords. Here are some intriguing fuzz-testing results from 2000 when that other OS was nearing its peak of popularity for malware:

http://pages.cs.wisc.edu/~bart/fuzz/fuzz-nt.html
Our 1990 study evaluated the reliability of standard UNIX command line utilities. It showed that 25-33% of such applications crashed or hung when reading random input. The 1995 study evaluated a larger collection of applications than the first study, including some common X-Window applications. This newer study found failure rates similar to the original study. Specifically, up to 40% of standard command line UNIX utilities crashed or hung when given random input and 25% of the X-Window applications tested failed to deal with the random input. In our current (2000) study, we find similar results for applications running on Windows NT.

Our current study has produced several main results:

  • 21% of the applications that we tested on NT 4.0 crashed when presented with random, valid keyboard and mouse events. Test results for applications run on NT 5.0 (Windows 2000) were similar.
  • An additional 24% of the applications that we tested hung when presented with random valid keyboard and mouse events. Tests results for applications run on NT 5.0 (Windows 2000) were similar.
  • Up to 100% of the applications that we tested failed (crashed or hung) when presented with completely random input streams consisting of random Win32 messages.
  • We noted (as a result of our completely random input testing) that any application running on Windows platforms is vulnerable to random input streams generated by any other application running on the same system. This appears to be a flaw in the Win32 message interface.
  • Our analysis of the two applications for which we have source code shows that there appears to be a common careless programming idiom: receiving a Win32 message and unsafely using a pointer or handle contained in the message.

So stuff from 1995 in X applications crashed 24% of the time in fuzz-testing but 100% of GUI apps in Lose 2000 crashed. Does being closed make you more secure? Nope.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

Leave a Reply