The answer to that lies in the ability of the Linux community to cope with security problems. It turns out, it’s harder than you think.
A Flurry of Security Problems
The past 48 months have been brutal for Linux. That isn’t hyperbole. Major security vulnerabilities have been found in almost every single distribution, with serious consequences for end-users.
The one with the most notoriety was Heartbleed. This vulnerability impacted OpenSSL, and made it possible for an attacker to read the memory of vulnerable server and steal the secret keys used in asymmetric encryption.
This, as you might expect, fundamentally undermined the integrity of online encryption. At the time, millions of systems were at risk. To this day, it’s estimated 200,000 systems are unpatched.
Then there was Shellshock. This was another serious vulnerability, this time affecting the BASH shell. When exploited, an attacker could execute their own malicious code on vulnerable OS X, BSD and Linux systems. We wrote about it last September.
Finally, there’s the Linux GHOST vulnerability. This was as nasty as the other vulnerabilities in terms of the amount of systems it affected, and the potential for abuse that came with it.
The GHOST vulnerability was a buffer overflow found in glibc, where a remote attacker could send a carefully crafted packet containing a shellcode payload, which would be trustingly executed by the vulnerable system upon receipt. This would have allowed an attacker to execute their own arbitrary commands, without even a username or password.
Budgets and Volunteers
This wasn’t an exhaustive list. As Zemlin pointed out, but each vulnerability has something in common. They all impacted significant Linux components which were suffering from a shortage of funds, or a shortage of volunteers.
Take OpenSSL, for example. In the months leading to the discovery of Heartbleed, it had received less than $2000 in donations. According to Zemlin, for a long time it was being maintained by two volunteer developers. Coincidently, both of whom were called Steve.
NTPd – which is responsible for ensuring all Internet-connected Linux computers are on time, and is vital for encryption to work – is being worked on by one part-time volunteer. Bash and OpenSSH are in similarly dire straits.
Meanwhile, the Linux Kernel is flush with funds and volunteers, and is supported by some of the biggest names in technology, like Red Hat, Google, and even Microsoft, albeit not for long. There’s a huge inequality with the allocation of resources, with some core Linux components better off than others.
It used to be the case that Linux could depend on being secure through obscurity. But as it’s increasingly used as a server and desktop OS, it can no longer depend on that. Linux is now an incredibly lucrative target for hackers, and other digital ne’er-do-wells.
The entire Linux community has to make sure that the small, but often forgotten parts of the OS are sufficiently funded, staffed, and able to deal with security threats as they emerge.
But if these changes fail to happen, and the fundamental security of Linux is brought into question, it seems all but certain companies and users will move elsewhere. But where will they go?
The motto of OpenBSD is “Only two remote holes in the default install, in a heck of a long time!”.
OpenBSD was founded by Theo De Raadt in 1996. It started life as a fork of NetBSD, after the notoriously fiery De Raadt was kicked out of that project due to “personality differences”.
Since then, only two remotely-exploitable vulnerabilities have been discovered in OpenBSD. This is a negligible sum, compared to Linux, Windows, and yes, NetBSD.
That’s no accident. OpenBSD is designed from the ground-up to be secure. Each line of code is meticulously audited for bugs and security flaws, and developers have to abide by strict secure coding guidelines. Crucially, it’s small, and comes with a reduced amount of software packages in the default install, thereby reducing the number of potential attack vectors.
Although OpenBSD is obscure, many of its components have found success in other operating systems, like OpenSSL, OpenNTPD, and the PF (Packet Filter) firewall.
This “security by design” ethos is appealing to companies who are eager to avoid embarrassing security breeches, and users who are looking for a more secure computing experience.
For a more detailed comparison between Linux and BSD, check out this piece by Danny Steiben.
I know. Endorsing Windows 10 and suggesting Linux might have hit its peak is almost like signing my own execution warrant. At the very least, it’s certain to provoke some angry comments.
But although some might not like to admit it, Microsoft’s immense wealth gives it a relative immunity to some of the problems Linux faces.
If a severe vulnerability crops up in a vital part of Windows 10, for example, there’s no question Microsoft would have the available funds and manpower to deal with it. Microsoft don’t have to rely on the motivation of individual volunteers. They’ve got dedicated, paid employees.
Although Windows’s track record in all-things security is up for debate, Windows 10 is a vast improvement on previous versions, and has been touted as the “most secure Windows ever”.
Despite that, the thought of using Windows 10 might be a little too unpalatable for many Linux users.
Is There Any Hope For Linux?
The Linux world has a major problem. How can it ensure that the significant, but often neglected components of the OS are sufficient resourced? If this isn’t fixed, then you can all but guarantee Jim Zemlin’s predictions will come true, and Linux will enter a slow and unstoppable decline.
But what do you think? Is the end nigh for Linux? Or will it survive? Let me know what you think in the comments below.