"Behind the Scenes"
|October 2012||The monthly newsletter by Felgall Pty Ltd|
Operating System Security
It is amazing just how many people think that obscurity provides security when in fact it does no such thing. Even many of those who realise that just because something is obscure (or even simply less popular) doesn't make it more secure, don't think it through to the logical conclusion. The more obscure or less popular systems are not more secure, they are simply less likely to be targets of attacks. This makes security appear to be less necessary with less popular and more obscure systems than it is with the more popular ones.
In fact in most instances the more obscure and less popular a system is the less effort will have been put into locating the security holes in that system. This is because the attackers are not spending the time to find the security holes in order to exploit them because they have something else they'd rather target that will have a bigger effect. There is less incentive for the authors of the given system to patch any security holes in their system because no one (including the authors) knows exactly where those security holes are and the people who would be exploiting them if they were identified are too busy attacking some other more popular system.
With a more popular system that is being subjected to attacks the attackers are finding the security holes in order to exploit them. The authors having found out that these holes exist then rewrite that part of the code and patch their system to remove that security hole. In some cases they may accidentally introduce another security hole in the process of patching the first but generally when a security hole is identified by someone hoping to exploit it, patching it will mean that there is one less security hole hidden in that system waiting to be found.
Occasionally someone will discover a security hole in a system by accident or as a side effect of something they are trying to do without any intention on their part to actually exploit such a security hole and in that instance a security hole will get fixed without any attempt having been made to exploit it. This is far more likely to happen with a more popular system than with a less popular more obscure one simply because there are more people using the more popular system.
So overall the more popular a system is the more likely it is that the security holes in the system will be found and patched. We don't need to consider the possibility that the system doesn't contain security holes in the first place or that a system will ever be patched to the point where there are no further security holes waiting to be found except in the simplest of computer systems because once a computer system involves more than a few thousand statements the number of different ways of interacting with the code becomes so great that there would never be enough time to test them all and any form of statistical analysis on the code will simply tell us roughly how many security holes that the code is expected to contain without providing any indication as to where those holes are or even whether they really exist. All we can really ever know is that it is reasonably likely that there are fewer than 'x' security holes waiting to be discovered in a given system and that the lower the number we choose for 'x' the larger amount of time would be required to find another security hole. No one is prepared to pay the amount of money that would be required to prove that a given system is actually free of security holes because no one has sufficient money to be able to afford to finance such an effort for even a moderately complex system.
What may not be so obvious is when you apply this to operating systems. Now operating systems are now extremely complex systems consisting of many millions of lines of code and therefore are fairly certain to contain a significant number of security holes. That such software does contain a huge number of security holes is readily seen because a significant number of such holes have been identified and patched in the Windows operating system. Similar numbers of security holes are likely to exist in the other less popular operating systems as well but with these it is not so obvious that such huge numbers of security holes exist because so few of them have been identified and patched. The reason why so few have been patched is not because very few holes exist though. The reason so few have been patched is that so few people have actually been actively looking for security holes in these operating systems. The Windows operating system is statistically likely to be the most secure operating system with by far the fewest security holes remaining simply because so many of them have already been exploited and patched. Using any operating system other than Windows means that you are using an operating system that probably contains far more security holes than Windows does and the only reason that less security holes are being patched is that fewer of them are being found because no one is actively looking for them. Using an operating system other than Windows because you believe that it is more secure is making the mistake that obscurity is the same as security.
The other mistake that people make when they choose to use a less popular operating system is that they decide that they don't need to run as much security software as those running Windows generally use. The problem is that just because no one is targetting their operating system with viruses doesn't mean that they will not receive emails that contain viruses. While those emails will not affect their system, their system can still act as a carrier to pass on those viruses to other people. In fact those creating the viruses in the first place are extremely happy that so many people running alternative operating systems are so helpful in passing on their viruses to all their friends. Having an alternative system act as a carrier allows viruses to spread far further than would be the case if such systems were configured properly to block the viruses and not simply pass them on. So those running alternative operating systems without running all the equivalent security software to what they would run if using Windows are in fact actively assisting to make things worse. Anyway, at some point the system they are running may become popular enough to become a target itself, or those less experienced at finding security holes to exploit may simply turn to an alternative operating system simply because it is becoming too hard to find new security holes in Windows.
The following links will take you to all of the various pages that have been added to the site or undergone major changes in the last month.