This site best read out loud in a Monty Python Gumby voice.

Explaining Security Concepts to ZDNet Bloggers Is Like Teaching Physics to a Pig

Date/Time Permalink: 11/12/10 03:22:43 pm
Category: General

For those of you wondering why I don't flame back at the massive ignorance of tech bloggers any more, it's because (a) it's like shoveling manure against the tide, and (b) 90% of them are so transparent that it's an utter waste of time. If preschoolers can see through it, why should I write a whole blog post pointing out that it's bogus?

Nevertheless, one of the FUD faithful occasionally has some tactic that was well-thought-out enough to render most of the troops in the FOSS ranks speechless. Oh, well, that's my cue to crack my knuckles and come in for a round, just for the exercise. So, today's "What-A-Moron" is whoever is hired to ghost-write under the picture of Sonja Thompson, Senior Editor at TechRepublic.

So, let me see if I remember how to do this. Here's the link to the post. Gotta have that. And, um, as much as I can read this through the crusty syntax, the argument is something like:

Proprietary software is said to be insecure because it's closed and security exploits can be hidden and not fixed, while open source software is said to be more secure because many eyes spot all the exploits and fix them. Actually, proprietary software is more secure because if the good guys can't spot the holes, neither can the bad guys. Likewise, open source is actually less secure, because the security holes are open for the bad guys to see, too.

Also, the word "logic" is brandished and brandished and brandished like a big stone club to scare away the timid, and an image of the old joke Tshirt "arrogant Linux elitist" is displayed in the hopes that Linux fans will be driven to rage and charge like a bull. Sorry lady, but like a black person being called "nigger," an educated professional being called "elitist" has learned to recognize that word as nothing more than an insult thrown around by bigots. Also, we took it back. Once it's on Tshirts, it's been defanged.

Ho hum. So, then, this formidable blowhard article would intimidate the smurfs out there. But allow me to take the wind out of it with the following one-sentence slash, indicating the point of failure of this "logic":

Crackers and Hackers Are Two Different Things!

And, see, we've only been screaming that one fact for what, 20 years now? The cracker/hacker confusion is older than Linux itself. Look, hackers build things; crackers break things.

Computer security is built by hackers. Computer security is broken by crackers.

Write it down. Graffiti it on subway walls. Print it on Tshirts. 20 years later, people still can't get it. We are forever stuck on page one of the book for Information Age 101.

The methods, the tools, the practices of hackers and crackers are different. Crackers do not go over source code to find their security holes. They use brute force. Got that? Crackers are not programmers, any more than a car thief is a mechanic.

Hey, you know that homes get burglarized, right? OK, so the burglars don't need to go to the Hall of Records and check out the blueprints to your Tudor mansion looking for points of entry, right? No, they smash a window or rattle doorknobs until they find one unlocked, and then they're in. A home burglar is not an architect.

The cyber equivalent of all that is running brute force attack programs. They don't even write this stuff themselves. They download scripts and run them and when they hit something, they're in. It takes exactly the same, identical skill set that playing a slot machine does. Passwords are cracked by trying every combination, website holes are found by trying to access every file, cross-site scripting attacks are found by slinging random code in the arguments to variables in PHP pages until you find a buffer overflow, and so on.

Once a proprietary software hole is found, it stays open for years. We've literally seen the case happen, here's the 17-year-old Windows hole that just got patched this year. (...and the Register still says 'hacker' when they mean 'cracker.' See what we're up against?)

Conversely, the same strategy doesn't work against Linux, BSD, and other open source systems. Yes, true, you can penetration-test Linux and BSD. There's plenty of tools out there to do that, too. There's even distros like "Damn Vulnerable Linux" specifically built to be weak and demonstrate points of failure. But when you go to all that trouble to find a security hole in Linux and exploit it, you know what's going to happen?

It's going to get patched in a matter of days, perhaps even hours. Any wide-scale attack by the "black hats" would get noticed, addressed, explored, blogged, documented, and patched before the first wave would hit the average home desktop. Because the users are empowered to fix their own system. And when we say "users," remember that that includes professional enterprise-level users. Users like the United States Department of Defense, CERN, and Google are the ones who get on this stuff the most, before the average cracker brushes his teeth in the morning.

Getting back to Sonja Thompson (or her ghost-writer - doesn't this article read like it was paid by the word?), I could even see how somebody could mistakenly conclude that the perception of safety when running Linux is "a mystical, spiritual belief that an end user comes to believe not through logic or reason, but through blind faith." It looks that way if you look at me. I know that Linux, BSD, and other systems aren't 100% safe and never will be. But most of the time, I simply don't have to worry about it beyond keeping my systems up-to-date. Any big attacks against Linux would already be bitten to death by the big mean watchdogs up the street from me, and basically I get to enjoy the ambient security provided not so much by the nature of the OS itself, as by the enterprise-level community around me.

Yawn. Well, that looks like I've made my point. This stuff is boring.

Linux frag in a chess board in a Rubik's cube

Follow me on Twitter for an update every time this blog gets a post.
Stumble it Reddit this share on Facebook

suddenly the moon