Alan Calder on IT Governance, information security & ISO 27001

Reports yesterday that Windows (specifically Windows Server 2003) trumped Linux on security issues is no real surprise – I’ve been saying for some time that the whole anti-Microsoft thing was just a combination of hype and jealousy, and it’s gratifying that more evidence is emerging that I was right!

Of course, the fact that Microsoft funded the research will be used to try and undermine the conclusions of the report – but that’s so obviously an ad hominem argument that I’m surprised anyone gives it much house room. The only meaningful response the open source community should be trying to make is to dispute the facts: it either is, or it isn’t, true that the Microsoft platform recorded 52 vulnerabilities against the Linux installation’s 174. (174? – wow!)

Once that claim is admitted or proved wrong, there’s then a possible discussion about the comparitive seriousness of the vulnerabilities – and that’s the arena this conversation should be in. Anything else is just pandering to spin and hype – and look where that got us in Iraq.

A sensible article on Firefox in an enterprise environment leads to the obvious conclusion that anyone who buys a product in its o.x or 1.ox versions ought not to be employed (or not for very much longer, anyway) in any organization that is even minimally risk aware.

And, frankly, you don’t have to be much of a contrarian to spot that Firefox isn’t much of a competitor for Internet Explorer. While the out-crowd hype has driven Firefox market share to 8.45% in a short space of time, IE still has 87.28% of the market. When Firefox started out, the IE share was about 96%. 1-0 for hype.

Now, ask yourself: if you were a criminal (hackers, crackers, and other malcontents included), and you wanted to attack websurfers, what would you target? The two or three browsers that, between them, have less than 5% of the market, or the single one that has about 96%? Ok, so, given that the both the professional and the amateur online criminal fraternities have been targetting IE for a few years, how many vulnerabilities do you think they may have found by now?

And, given our apparently insatiable mania for bigger, better, faster, cooler, NOW! – what’s the likelihood of new IE releases having new vulnerabilities?

In other words, browsers are always going to have holes, and the crooks are always going to focus on exploiting the holes. And they sure are – witness the flaw found last month in all browsers EXCEPT IE. Hmm.

So, on the one hand, we’ve got Microsoft – who’ve built a machine for cranking out updates and getting them to end users quickly and efficiently – and on the other, we’ve got Mozilla, who’ve got… how many guys actually working on fixes?

Of their nightly builds, Mozilla say this: “You will find bugs, and lots of them. Mozilla might crash on startup. It might delete all your files and cause your computer to burst into flames.”

Thanks. That’s a helpful warning.

Even Mozilla recognise that the hype is running out of steam.

The only reason everyone goes for Bill Gates (apart from he’s got the money) is that there’s only one of him. It’s long been fashionable to moan to about Windows, and to point the finger at its (multiple) vulnerabilities. As though any product that doesn’t sit on almost every desktop isn’t going to be attacked – a lot.

Now that Unix/Linux solutions are moving from fringe show to minority competitor, they’re beginning to be worth attacking. And guess what?

Open source also has holes. Open source isn’t, after all, a golden bullet – a bit more like a bullet in the foot. With Bill Gates, you just have to moan until the patch is released and then get it installed – and then most of the world is safe – but if a vulnerability is found in an open source product – and more and more are – then you have to wait for multiple vendors to release their own individual open source patches – and they take different amounts of time, and they do the job differently (or indifferently) well – and maybe you get safe. And maybe not. And open source products come, and go, and so no-one really gets to have much of a profile – which means no-one ever really gets round to whining at them.

I’d rather have a software supplier who sorts the problem out, in one hit, across the world. Anytime.