Pinterest Stumbleupon Whatsapp
Advertisement

Jim Zemlin is the head of the Linux Foundation. Their mission is to “promote, protect and advance Linux”. So, why did Jim recently say that the “golden age of Linux” might soon come to an end?

The answer to that lies in the ability of the Linux community to cope with security problems. It turns out, it’s harder than you think.

A Flurry of Security Problems

The past 48 months have been brutal for Linux. That isn’t hyperbole. Major security vulnerabilities have been found in almost every single distribution, with serious consequences for end-users.

The one with the most notoriety was Heartbleed. This vulnerability impacted OpenSSL Heartbleed – What Can You Do To Stay Safe? Heartbleed – What Can You Do To Stay Safe? Read More , and made it possible for an attacker to read the memory of vulnerable server and steal the secret keys used in asymmetric encryption.

This, as you might expect, fundamentally undermined the integrity of online encryption. At the time, millions of systems were at risk. To this day, it’s estimated 200,000 systems are unpatched.

Advertisement

Then there was Shellshock. This was another serious vulnerability, this time affecting the BASH shell. When exploited, an attacker could execute their own malicious code on vulnerable OS X, BSD and Linux systems. We wrote about it last September Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Worse Than Heartbleed? Meet ShellShock: A New Security Threat For OS X and Linux Read More .

Finally, there’s the Linux GHOST vulnerability The Linux Ghost Flaw: Everything You Need To Know The Linux Ghost Flaw: Everything You Need To Know The GHOST vulnerability is a flaw in a vital part of every major Linux distro. It could, in theory, allow hackers to take control of computers without the need for a username or password. Read More . This was as nasty as the other vulnerabilities in terms of the amount of systems it affected, and the potential for abuse that came with it.

The GHOST vulnerability was a buffer overflow found in glibc, where a remote attacker could send a carefully crafted packet containing a shellcode payload, which would be trustingly executed by the vulnerable system upon receipt. This would have allowed an attacker to execute their own arbitrary commands, without even a username or password.

Budgets and Volunteers

This wasn’t an exhaustive list. As Zemlin pointed out, but each vulnerability has something in common. They all impacted significant Linux components which were suffering from a shortage of funds, or a shortage of volunteers.

Take OpenSSL, for example. In the months leading to the discovery of Heartbleed, it had received less than $2000 in donations. According to Zemlin, for a long time it was being maintained by two volunteer developers. Coincidently, both of whom were called Steve.

linux-donations

NTPd – which is responsible for ensuring all Internet-connected Linux computers are on time, and is vital for encryption to work – is being worked on by one part-time volunteer. Bash and OpenSSH are in similarly dire straits.

Meanwhile, the Linux Kernel is flush with funds and volunteers, and is supported by some of the biggest names in technology, like Red Hat, Google, and even Microsoft, albeit not for long. There’s a huge inequality with the allocation of resources, with some core Linux components better off than others.

It used to be the case that Linux could depend on being secure through obscurity. But as it’s increasingly used as a server and desktop OS, it can no longer depend on that. Linux is now an incredibly lucrative target for hackers, and other digital ne’er-do-wells.

The entire Linux community has to make sure that the small, but often forgotten parts of the OS are sufficiently funded, staffed, and able to deal with security threats as they emerge.

Linux’s Successor

But if these changes fail to happen, and the fundamental security of Linux is brought into question, it seems all but certain companies and users will move elsewhere. But where will they go?

OpenBSD

The motto of OpenBSD is “Only two remote holes in the default install, in a heck of a long time!”.

It’s true.

OpenBSD was founded by Theo De Raadt in 1996. It started life as a fork of NetBSD, after the notoriously fiery De Raadt was kicked out of that project due to “personality differences”.

linux-openbsd

Since then, only two remotely-exploitable vulnerabilities have been discovered in OpenBSD. This is a negligible sum, compared to Linux, Windows, and yes, NetBSD.

That’s no accident. OpenBSD is designed from the ground-up to be secure. Each line of code is meticulously audited for bugs and security flaws, and developers have to abide by strict secure coding guidelines. Crucially, it’s small, and comes with a reduced amount of software packages in the default install, thereby reducing the number of potential attack vectors.

Although OpenBSD is obscure, many of its components have found success in other operating systems, like OpenSSL, OpenNTPD, and the PF (Packet Filter) firewall.

This “security by design” ethos is appealing to companies who are eager to avoid embarrassing security breeches, and users who are looking for a more secure computing experience.

For a more detailed comparison between Linux and BSD, check out this piece by Danny Steiben Linux vs. BSD: Which Should You Use? Linux vs. BSD: Which Should You Use? Read More .

Windows 10

I know. Endorsing Windows 10 and suggesting Linux might have hit its peak is almost like signing my own execution warrant. At the very least, it’s certain to provoke some angry comments.

But although some might not like to admit it, Microsoft’s immense wealth gives it a relative immunity to some of the problems Linux faces.

If a severe vulnerability crops up in a vital part of Windows 10, for example, there’s no question Microsoft would have the available funds and manpower to deal with it. Microsoft don’t have to rely on the motivation of individual volunteers. They’ve got dedicated, paid employees.

linux-windows

Although Windows’s track record in all-things security is up for debate, Windows 10 is a vast improvement on previous versions, and has been touted as the “most secure Windows ever”.

But even if that’s not the case, it’s easily the best Windows ever. With its revamped aesthetic 10 Compelling Reasons to Upgrade to Windows 10 10 Compelling Reasons to Upgrade to Windows 10 Windows 10 is coming on July 29. Is it worth upgrading for free? If you are looking forward to Cortana, state of the art gaming, or better support for hybrid devices - yes, definitely! And... Read More ,improved browser How to Set Up Microsoft Edge, the Default Browser in Windows 10 How to Set Up Microsoft Edge, the Default Browser in Windows 10 Microsoft's new Internet browser Edge made its first appearance in Windows 10 Insider Preview. It's still rough around the edges, but sleek and fast. We show you how to migrate and set it up. Read More , and Cortana Cortana Arrives on the Desktop & Here's What She Can Do for You Cortana Arrives on the Desktop & Here's What She Can Do for You Is Microsoft's intelligent digital assistant as competent on the Windows 10 desktop as she is on Windows Phone? Cortana has a lot of expectation on her shoulders. Let's see how she holds up. Read More , it’s a joy to use on both the desktop and the tablet How Well Does Windows 10 Work on a Tiny Tablet? How Well Does Windows 10 Work on a Tiny Tablet? Windows 10 is taking the devices of disgruntled Windows 8 and curious Windows 7 users by storm. The PC experience is great, but how does it perform on small screens? Matthew tested Windows 10 on... Read More .

Despite that, the thought of using Windows 10 might be a little too unpalatable for many Linux users.

Is There Any Hope For Linux?

The Linux world has a major problem. How can it ensure that the significant, but often neglected components of the OS are sufficient resourced? If this isn’t fixed, then you can all but guarantee Jim Zemlin’s predictions will come true, and Linux will enter a slow and unstoppable decline.

But what do you think? Is the end nigh for Linux? Or will it survive? Let me know what you think in the comments below.

Photo Credits: omihay / Shutterstock.com, Glass Jar (Lemon Tree Images)

Leave a Reply

Your email address will not be published. Required fields are marked *