NEWS Symantec CEO John Thompson has hit out at "the myth" that Microsoft's operating system is inherently less secure than the open-source alternatives, which he likened to a "dead-end alley". However, he still had few kind words for the software giant.
Thompson believes the reason Microsoft is so often seen as culpable for virus outbreaks and security flaws is simply because it is the biggest target – though he admitted that if "things get too homogenised, it is not a good thing" – especially where security is concerned.
And while some believe Microsoft's move into the antivirus field, through acquisition, means it is best placed to heal its own wounds, Thompson is unconcerned, claiming Microsoft lacks the credentials to be taken seriously in the antivirus sector.
"The market will acknowledge that you want to buy security products from people who know what they are doing. We've been doing this for years. We don't do game boxes and we don't do operating systems. We do security."
Thompson likened virus writers to graffiti artists – and the operating systems targeted as their 'canvas'.
"If somebody writes graffiti they're not going to write it on a wall at the end of a dead-end alley. They're going to write it on a train that travels right through the city centre."
In Thompson's opinion the ubiquity of Microsoft's operating system simply offers a more attractive canvas for the virus writers – hence the higher number of attacks aimed at Windows vulnerabilities.
Thompson was in the UK to speak at a Prince's Trust event, chaired by silicon.com editor Tony Hallett
Speaking on stage, Thompson said: "There is a myth in the industry that Linux is inherently more secure. I don't believe that."
But Thompson doesn't see things moving on from Microsoft any time soon – scotching suggestions that mobile and wireless will be the next target for virus writers.
Speaking at the event, he said: "The Windows environment will be target rich for a long, long time", singling out Microsoft Office as the next likely target area for virus writers already au fait with Microsoft code.
However, more important than concerns about operating systems or the actions of virus writers is the need for greater user education, according to Thompson.
"There is a huge awareness problem that needs to be dealt with," he said, warning that end-user error can still undermine even the most thorough digital security.
"Why would somebody click on an attachment from somebody they don't know? To me that just doesn't make sense."
Thompson urged companies to take the issue of educating staff far more seriously and combine it with policy and technology.
"Security is a process, not a bunch of products," he said.
Comments
There are 35 comments. Join the discussion
1. anonymous
Mr. Thompson is right in his statement that "Security is a process, not a bunch of products" but he is completely wrong with this statement:
"the myth" that Microsoft's operating system is inherently less secure than the open-source alternatives, which he likened to a "dead-end alley". However, he still had few kind words for the software giant.
Sales talk! Of course! He is the CEO of Symantech and wants to give the impression of a myth, only to sell "Anti-virus" solutions to some OSS* users who don't know better.
"the ubiquity of Microsoft's operating system simply offers a more attractive canvas for the virus writers – hence the higher number of attacks aimed at Windows vulnerabilities."
The above IS a real myth! If the graffiti artist cannot reach the canvas, there is only one obvious alternative left. Not because it is the biggest, but because it is the easiest. In 1990 when I started my IT career, Windows was in its infants and Linux was not even thought of (ask Linus?),there was a plethora of viruses that infested that so called operating system. During these 14 years we are still in the same position.
No progress what so ever. If nothing else, THIS is "a dead end alley"!
Of course Symantech and their alikes
don't complain - it's their bred and butter.
* OSS = Open Source Software
/K
---
2. Dave Hammond
Funny, I remeber NetScape saying that Microsoft, due to their inexperience, was not a serious threat when they got into the browser market.
I also remember IBM, Lotus, WordPerfect, Novell, and others saying the same thing.
When will these people ever learn?
3. DataHaunt
First of all anonymous, I have to thank you for making me $10 richer. I bet a colleague that the first post would be a Linux devotee defending OSS.
I admin both Windows and Linux. During ANY given week of vulnerability announcements, Linux beats Windows hands down in sheer volume. It is a given that when a MS flaw is found and taken advantage of it makes for big news especially if lackadaisical system administrator fail to patch, but claiming that Linux is rock solid and strong on security inherently is a statement of faith, not fact.
I’ve been a system admin since the late 80’s. The market and the targets change depending on who is the biggest target. Back then it was Novell, Microsoft and Unix being attacked via vulnerability, hacks, worms and the like. Now Microsoft gets the lion’s share of the attention. If you were to be honest and tracked the increase of the number of attacks on Linux (hacker, vulnerability, etc.) made, you would see that such attention to Linux goes hand in hand with its new market popularity.
Want a more secure OS? Go with OpenVMS, Argus or MVS. All others have to work at it.
4. Gavin Harrison
Mr Thompson has clearly never done any graffiti, and also very clearly never used linux.
If you don't log in as an administrator (which you almost always have to under windows) or root, any virus is limited as to the damage it can do assuming there are no local vulnerablilties in the linux system.
5. anonymous
If being the majority is the problem, then why does apache not have this problem w/ over 50% of the market?
6. anonymous
While it is true to say that Linux is not immune to viruses in general, it is also true that Windows is fatally flawed with respect to such attacks.
The more Windows services and applications are integrated closely together, the greater the possibility of an attack having serious system-wide consequences. This is why Microsoft's efforts to further integrate the various components of Longhorn serves as a serious threat to security. Linux, at its very core, has a "keep them separate" philosophy that Windows doesn't share. That makes Windows a more tempting target for the virus writer than Linux. The virus writer will always have a greater "bang for the buck" when attacking Windows. Breaking Linux is a lot harder than that.
Also, most of the recent security problems in Linux seem to require the hacker to have physical access to the machine, unlike Windows, where just connecting a computer to the internet can compromise the system.
In the final analysis, Windows is more vulnerable than Linux, because of basic fundamental development decisions that go to the very heart of the OS. Windows is still a glorified single-user operating system with a thin vaneer of multi-user capabilities spread on top. Why else does a software update or installation in Windows require a reboot? Why else does "fast user switching" even exist?
No OS is perfect, but the sort of flaws that Windows exhibits (which are "features", oh by the way), and upon which virus and trojan writers depend for their dirty work, just can't be defended. And these are flaws that cannot be corrected either, since they are central to the Windows design philosophy. Notice the warning that Microsoft has given that XP Service Pack 2 will definitely break some software, due to tightened security. Imagine what would happen if they really fixed Windows.
7. flacco
so, essentially, mr thompson is saying:
please don't migrate to linux to avoid security issues, or we'll end up selling less of our software;
please don't trust microsoft to secure their software, or we'll end up selling less of our software.
even though you can't trust what he says, at least he's got a consistent theme.
and the REAL dead end alley is the proprietary commodity software market. that means you, symantec, and of course microsoft. it may be a long alley, but unless you change your business models to accommodate the unstoppable sea change in the software industry, you'll hit the end fast and hard.
8. Warren Swaine
This made me laugh. A CEO of a company whose products regularly fail to do what they claim to do because of an inherent design flaw - the addictive update model, claims that another company doesn't have the credentials to do better. Sort your own house out first!
9. anonymous
Symantec? Security? Hah.
Firstly, if they did do games, Norton Internet Security wouldn't have told me UT2004 was a trojan and wasted 2 hours of my time.
Secondly, if you try to renew their product from the UK, what can happen is that their website presents you with another country's options repeatedly and it takes 3 months for them to respond to your request for help typed into their uk website.
Oh, and mysteriously my card reader works now I use F-prot and Zonealarm instead. Heaven knows how NIS could interfere with that.
10. Jeremy Chatfield
Bullsh*t. Apache kicks IIS's butt.
Apache is the most widely used web server on the net. Period. It is used on Microsoft and Linux OS's. IIS is used exclusively on Windows. IIS is attacked heavily, *BECAUSE IT IS WEAK*.
There have been attacks on Apache - Lion Worm, etc. But these are rare and usually rapidly contained, unlike the repeated weaknesses in IIS and the continuing insistence of MS administrators running obsoleted versions becausethe MS patching processes are so prone to causing problems in unrelated systems.
You can't claim that this is because of rare skills held by Linux bigots, because Apache is also popular on Windows.
There are intrinsic weaknesses to Linux. Running unauthenticated code off the stack is the most obvious flaw in both OS's.
However, certain features of Linux, such as versioning of dynamic link libraries, allows controlled use of updates and limits propogation of problems introduced by poorly tested updates.
The practicalities are that when I abandoned Windows for daily use, I reduced the demand on my time for applying patches and fixing up warped stupidity by about 10-15%. That's a gain of at least 20 useful work days per year, from that one action alone, costing me two days of conversion and training.
There is an inherent difference in an operating system with a thirty year history of security, and a commercial operating system designed for marketing purposes and license upgrade fees.
I believe that the MD of Symantec has a commercial relationship with Microsoft. He also has a financial dependency on the continued success of Microsoft OS's, because his sales would be sharply damaged if Linux systems were more widely used.
IOW - this "news" is FUD based on self serving analysis rather than a useful contribution with the benefit of the consumer in mind. In brief, he's lying to protect his company.
11. anonymous
What will happen to all these 'secure' Linux networks when it has a larger market share and is a more attractive target?
At the moment few viruses etc.. are written for Linux, but as it becomes more attractive to virus writers a lot of people will be in for a very big surprise. When it becomes a serious target people will find a way to circumvent the 'security' of Linux, they always do.
No system is immune once it becomes a big enough target, and to believe otherwise is simple stupidity.
Symantec will begin to sell Anti-Virus software for Linux, and no doubt charge for it as they do with Windows. If anybody out there believes they won't need Anti-Virus software for Linux in the future... I wish you luck.
12. John Walker
"Why would somebody click on an attachment from somebody they don't know? To me that just doesn't make sense."
Why would someone step backwards off the balcony with a broken or missing handrail? Because they can. It's the whole reason we have Health & Safety regulations. I really don't believe you can blame users entirely for what is possible in the daily grind.
Hands up whose mouse has never mysteriously selected the line above or below the one you really meant to click.
It's not sufficient that the gun be kept out of reach - it must be unloaded too.
13. Rod Sheaff
No Microsoft vulnerabilities = much less business for Symantec. So Symantec needs the invalid to survive. No wonder they don't blame Microsoft.
14. Joshua Burstyn
It is quite clear to me that if Symantec wants to stay in business, they will promote Microsoft Products. They have relatively few Linux/Unix products, and it is in their best interest to promote Windows and MS Office if anyone is to buy their products.
Without MS, Symantec wouldn't sell any products.
While I would never go so far as to testify this in court, I do believe Symantec is probably responsible for the creation of many of the virus' that are on the internet. It's a great way to stay in business!
15. Domenic
Security, as a whole, can be compromised regardless of OS or platform. The issue in my opinion (which is shared by the vast majority of admins and engineers) isn't which OS is virus-proof because that's simply not possbile. No, the issue is twofold. Firstly, if a server running any flavour of Linux is hit with one of it's 20-25 viruses even without protection, it's very nature alone will isolate the offensive bug to the lone user account. You can't WRITE over or change files unless user permissions are enabled on that directory or file. Quite simply, only the poor sap's account who got hit with this bug will be affected. You can talk to any admin out there and they'll obviously tell you the same thing. It's much easier to handle one user account's problems than an entire network of chaos. In order for that same virus to infect others on that same network, the admin would have to knowingly access the root account, open the virus there, and based upon the virus' makeup, let it loose on the network. Not bloody likely. Windows (we'll use 2003 server for example) by default, enables all priveleges for all users. And even if priveleges are limited, their are still several ways to access other accounts across that same network. I could also get into the dangers of binary executables as well, but I'm running out of time here. Lastly, one must also focus on the fact that yes there are literally tens of thousands of viruses for the Windows platform because of it's dominance in the desktop market. Linux, at this point in time, is a heavy favourite in the server market. It has between 20-25 viruses. Yes, that's right: 20-25. So of, if I'm an executive having to make a decision on a server (keeping in mind that every day all I hear about from IT is trojan this and worm that) I'm naturally going to go with the less prone to invasion OS. It's that simple. Is it fullproof? No. Is it the safer alternative today? Absolutely.
16. anonymous
Basicaly, Mr T. protects its own busines. He sais, stay with MS, bad guys will write viruses, and Symantec will have a market.
Imagine Linus and Unix as his market. Not very flurish.
Thou I agree, security is a proces not a bunch ow software.
17. Nick
"Why would somebody click on an attachment from somebody they don't know? To me that just doesn't make sense."
Duh? Why would anyone follow a link on a web page? Why would anyone click on a picture that says, "Play Movie"?
Because we've been trained to "try it and see".
If it doesn't make sense to you, perhaps you should get a new job.
18. Nick
"Why would somebody click on an attachment from somebody they don't know? To me that just doesn't make sense."
Duh? Why would anyone follow a link on a web page? Why would anyone click on a picture that says, "Play Movie"?
Because we've been trained to "try it and see".
If it doesn't make sense to you, perhaps you should get a new job.
19. anonymous
What do CEOs know about security, anyway? Is he even qualified to make such statements?
20. anonymous
Hmmm. Isn't the "numbers" excuse the same line Bill Gates gave in defense of his operating system?
It is pretty easy to see the source of the FUD when it turns out to be the exact same reasoning. It is also easy to see the elementary strategy at play:
Repeat after me, and repeat often until it becomes accepted truth.
21. Wendell Anderson
John Thompson should stick to managing and marketing the business end of Symantec, and not indulge in technological opinion that is outside his range.
It has been conclusively proven and demonstrated that MS Windows, MS Internet Explorer (IE), and MS Outlook, amoung other MS applications are poorly designed and executed.
No matter if one discards ALL attachments, the software will be virus, worm and bug ridden. Mr. Thompson should know that the basic design of Unix/Linux precludes most of the security problems of Windows. Yes, poor administration and security policies/practices can affect UNIX/Linux or any other software stack, but the basic structure is inherently more robust and secure.
22. Steve Berry
Ere' we go again. Same old story..
Can't anyone see what's really going on here ?
MS playing the Corp game again through acqusition / rebadging.
Competitors can say / do as they please, shoot from their own perspectives / interests etc.. Whilst they do, MS continue to gain footholds in key market segments which in the long-term will make em' even stronger. Short term industry analysis is exactly that - SHORT TERM.
Virus' whilst problematic aren't exactly strategically important to the large Corps of this world and never will be.
Wake up n' smell the "economies of scale" coffee chaps/chapesses !
23. cirilo bernardo
"Why would someone click on an email form somebody they don't know?" Well, aside from what was pointed out earlier (accidents happen), don't forget that published flaw where a malformed MIME header would cause M$ Outlook to execute arbitrary code. Sorry, J.T. -- in Bill's world, you don't even have to click -- you're simply an unwilling and unwitting victim.
24. anonymous
The age old myth that virus writers like writing for Windows because of the bigger market share. I'd imagine a virus writer would love to write a virus for Linux as well. This would make the writer very famous, as being the first to successfully exploit Linux holes. Especially now that the hype for Linux security is very high. It's either they become another two-bit Windows virus writer, or become a top-class Linux virus writer.
25. anonymous
Obviously Symantec knows nothing about Linux, or just enough to be dangerous.
Linux is so transparent to the administrator that you can see fine grain activity. There isn't any guessing about which application is opening what port. It's al right there for you to see. Try figuring out which app is opening a port in Windows sometime.
Administration of system services is a breeze compared to any MS product and if all else fails you have iptables (a.k.a. netfilter) to really lock things down.
MS makes joke OS's for people that can't think or see beyond the pretty pictures. If MS wanted to get serious about security they would stop catering to the braindead mouse jockies.
Think about it. I have never seen, or heard of the Linux/Unix admin that didn't also know windows admin, but I have seen far too many windows admins that know little else besides their beloved windows servers. Yet, somehow these windows admins rail against the evils of Linux and how it is just as bad as windows. Funny how they can even have an opinion on it.
26. Olivier Magere
It's only in terms of public exposure that open source software is being described as a dead end alley. But that's still wrong. Linux servers are a lot more widespread than that.
Also, the number of vulnerabilities announced for Linux is hard to compare with anything especially with similar Windows announcements. Vulnerabilities are officially announced when a fix is available. MS is notoriously slow at fixing these so announces are likely to be less often.
And it seems that any problem reported on something running on Linux is a linux vulnerability, which is not quite the same as what happens for windows.
27. Mark Lisle
The problem is lies at the heart of the software kernel of these systems not on user awareness of security by users. Only authorised processes should be able to plug into and use a system API. Microsoft should look to securing its API teaching its developers fundamental software engineering techniques rather than wasting its resources on acquiring wasteful virus checkers that grind your system to a halt.
28. anonymous
"MS makes joke OS's for people that can't think or see beyond the pretty pictures. If MS wanted to get serious about security they would stop catering to the braindead mouse jockies."
Unfortunately those "braindead mouse jockies" are the people who are paying your wages i.e. the users.
A lot of sys admins seem to forget that their function is to support the users.
Microsoft is dominant in the desktop arena because they provided a system that was easy for 'everyone' to use. That may have come back to bite them in the end, but until Linux provides an alternative that non IT people can switch to without major re-training costs, and all software makers start making Linux versions of their software, the desktop (which is were most viruses enter a business) will not change.
Linux in the server room being used by Tech savvy people? Great, we'll all save a few pennies. When you can tell us how to save tens or hundreds of thousands by replacing the users software people will begin to take notice.
Security doesn't interest the average user, so pointing fingers and bragging about how Linux security is better won't make them want to switch. Most companies would cease to function if they swapped desktops to Linux, and until that problem is solved Linux will only ever be a server system (unfortunately).
29. J Mahan
ok,
M$ in the Virus protection market. It's a win-win. Brilliant actually. Sell the fix for your own broken product. Like a cigarette mfgr investing in lung hospitals...
and the prev posts so eloquently mused on the "myth" & FUD of virus attacks - virus attacks can only be successful if there's a flaw to exploit - it's not the large M$ installed base that's the problem - it's large installed base of design flaws -
see M$ O/OE update site - 35 security fixes in 48 months - 1 every six weeks - how many Ford Explorers crashed on Firestone tires?? Half of dozen? That alone almost brought *both* companies to their knees and a recall and compensation...
People will beleive anything you tell them... until you start telling them the truth... Mark Twain
We should make BG an admin for six months and elect dubbya prez in iraq
30. anonymous
It's the never-ending argument of Linux vs Windows. They each have their own virtues. Personally, I prefer Linux for any security-intensive application. I have a 3 year old linux firewall in my home which has never been conpromised (not that it hasn't been tried or that it may not happen tomorrow), but at the same time, I also have two windows boxes behind the firewall which have stayed virus-free for about the same abount of time.
My point is, while internet security can be locked down to a certain point (web servers, firewalls, etc), security on the desktop is really dependent on the user no matter what OS you have. Most home users don't have a system admin to lock down their system for them to make sure they don't install damaging or virus-infested programs. So, unless they are educated in these matters, their computer is probably grossly unsecure even if they have "virus protection" or other "security" software installed.
It seems to me that user education is really the root of most security issues.
31. Piloo
Funny. Symantec make some of the worst (antivirus)bloatware going. Besides why compare MS and Linux; there are Apples too:-)
32. anonymous
why can't j mahan write properly? what's wrong with tecchies?
33. SystemsOne
Thompson...Oops
Was this a blooper...or perhaps reason why Symantec doesn't get it.
Today many viruses have the ability to "spoof" the original sender's email address. That said, many of the virus attachements that users will recieve nowadays WILL come from, at least in appearance, someone that they know...
34. anonymous
Quote: "The market will acknowledge that you want to buy security products from people who know what they are doing. We've been doing this for years. We don't do game boxes and we don't do operating systems. We do security."
Maybe he should look at the recent article in the mail on Sunday giving Norton 2004 less than a glowing write-up, or mayb look at the major problems with deploying SAV Corp ed v.9 if clients using outlook.
I certainly will be looking for a new vendor who "knows what they are doing" instead of renewing my corp ed subscriptions.
35. anonymous
"Security is a process not a bunch of products"
Call me a moron here; but I swear that was a mis-quoted quote from Bruce Schneier 'Digital security in a networked world' Also CEO of Counterpane Internet Security Inc.;
You'd think the CEO of a company as flashy as symantec would have a little more flashy quote/bottom line than some plagurized concept :)
Just my 2 cents.