Symantec's CEO offered an interesting defence of Microsoft this week... and even managed to sound like he was putting the boot in while he did it.
John Thompson, CEO of Symantec, likened virus writers to graffiti artists – and the operating systems targeted as the surfaces they vandalise.
"If somebody writes graffiti they're not going to write it on a wall at the end of a dead-end alley. They're going to write it on a train that travels right through the city centre."
The analogy is clear. Microsoft is a victim of its own success. And so, therefore, are we. Because of the monopoly Microsoft has achieved on desktop software it has pretty much secured a monopoly on virus attacks.
But this wasn't Microsoft-bashing - it was a heavy dose of reality.
Thompson raised eyebrows, going so far as to say the perception of Linux as safer is purely "a myth". It's a good - if highly contentious - point. Linux is certainly perceived as safer because there are fewer attacks; because there isn't the same potential for maximum damage.
Speaking to silicon.com in London this week, Thompson betrayed a fondness for car analogies. So here's one right back. A run-down old car which never gets stolen isn't more secure per se than a BMW or Mercedes, it is simply a less desirable target. As defences go it's not much, but it is Microsoft's best shot.
It's certainly an issue which will see fur fly in the IT industry. The pro-Linux lobby will hit out at such a statement as being unfounded and ridiculous. The pro-Microsoft lobby will doubtless concur that with ubiquity and popularity comes susceptibility. (Neither will be able to conclusively prove their argument.)
Though it could also be argued, with an old cliché, that with great power comes great responsibility - and Microsoft could certainly be accused of failing in its responsibilities, despite the move towards its 'trustworthy computing' initiative.
Knocking Microsoft for its record on security is almost passé now. At times it seems too tired, lazy and predictable to write the words. But Thompson's take on matters is interesting - and refreshing to hear from somebody on his side of the fence.
Too many rivals would throw the name of Microsoft out there and give a look to the audience laden with 'tell me about it' sentiments regarding how remiss the software giant has been in recent years - but it doesn't really get us anywhere closer to secure computing.
To understand the specific challenges is far more constructive. Like it or not the majority of computer users are Microsoft customers. Hence the majority of malware is written to attack the Windows operating systems and specific Microsoft vulnerabilities.
Comments
There are 3 comments. Join the discussion
1. anonymous
This defence of MS has been touted as often as MS has been criticized for security. It is, not at all, news.
2. leo maxwell
The analogy may be a little upside down.
In my experience, Joy-riding kids usually steal older models because they are easier to break into, and are less likely to have an effectively alarm or immobiliser.
Often all that is required is acheap screwdriver.
The expensive models are usually stolen by professionals, who have better equipment and skills.
3. Jeremy Chatfield
Popularity test exists.
If popularity breeds attack, look at popular non-Microsoft software. Apache is more popular than MS IIS as a web server. See http://www.netcraft.com/ .
Apache runs on Windows and Linux, with substantially similar functionality. See http://www.apache.org/ for differences.
Web servers are accessible to anyone with malice in mind. My logs show many attacks to usurp MS IIS, on Windows. I see less than 1% of attacks based on subverting Apache. I see this in my customers' log files too. IOW, this pattern is probably widespread.
Popularity is not a reason to write malware, or I'd see at least 60% of the naughty traffic as being focused on Apache, not less than 1%.
There are attacks on Apache and attacks on Linux/Apache. Some of these have even been worms with some success. So it is a target with a yield, and it is popular software in an accessible location, with high visibility.
Why do attacks focus on the less popular IIS? I believe that it is because if you subvert IIS, you gain greater control of the system than if you subvert a Linux/Apache host.
The defence could be made that Linux systems require Linux Administrators, who are rare and know arcane things to protect Linux systems. This a weak defence because it suggests that there is something intrinsic to a Windows Administrator that makes them less competent. I think the failure is the technology, not the people.
This analysis systems running IIS are easier to attack than systems running Apache. Systems running Windows offer a more complete subversion than systems running Linux. Competent attackers choose a web server and OS combination that gives them the greatest return on their effort, not the numerically larger number of hosts with capabilities limited by intentional and more difficult security restrictions.
It is not popularity that counts, but ease of use. Microsoft IIS and Windows are easier to use than Linux and Apache, by people with malice in mind.