The IT industry's obsession with comparing Windows and Linux security is a waste of time, according to top Linux bod Alan Cox. Operating system security is, he says, simply awful right across the board.
Kernel developer and Red Hat fellow Cox made the remarks in an interview with IT book publisher O'Reilly ahead of a security-themed speech planned for an open source conference next month. The bigger picture, he said, is that today's security systems are "totally inadequate".
"We are still in a world where an attack like the Slammer worm, combined with a PC BIOS eraser or disk locking tool, could wipe out half the PCs exposed to the Internet in a few hours," Cox said. "In a sense we are fortunate that most attackers want to control and use systems they attack rather than destroy them."
He described security tools as "basic" and "mostly reactive", failing absolutely rather than degrading. Currently most Linux vendors distribute patches on an almost daily basis, a situation Cox described as unsustainable, particularly as the time shrinks between the appearance of a vulnerability and the creation of an exploit.
While Linux's security is better than some other operating systems, comparisons are missing the more important issue, Cox said. "Even the best systems today are totally inadequate," he said.
An important step forward is the growing use of software verification tools, used to detect code flaws at the development stage, Cox said. Programming languages are also evolving to make it harder for programmers to make mistakes. Cox also praised SELinux, a locked-down form of the operating system, and no-execute flags in processors, designed to prevent the exploitation of buffer overflows, a common type of security vulnerability.
"There have been several cases now where boxes with no-execute or with restrictive SELinux rulesets are immune to exploits that worked elsewhere," he said.
However, such improvements are only the beginning, Cox said. One of the major hurdles to be addressed is the one part of a system that can't be debugged - the user. He said locked-down systems are a more effective way of preventing users from causing damage, while education efforts are likely to produce patchy results at best.
"The truth is that most users don't read messages from their IT staff, many don't understand them and most will be forgotten within a month," he said. Something that may just sound familiar to Techworld readers.