Linux 2017: With great power comes great responsibility
In 2016, Linux turned 25. When it began, it was a student project. Today, Linux runs everything. From smartphones to supercomputers to web servers to clouds to the car, it’s all Linux, all the time.
Even the one exception, the end-user, is moving to Linux. Android is now the most popular end-user opearating system. In addition, Chromebooks are becoming more popular. Indeed, even traditional Linux desktops such as Fedora, openSUSE, Mint, and Ubuntu are finally gaining traction. Heck, my TechRepublic Linux buddy Jack Wallen even predicts that “Linux [desktop] market share will finally breach the 5-percent mark”.
Of course, end-users have always used Linux. They just didn’t realize that almost all popular websites and many software-as-a-service (SaaS) applications run on Linux.
Even Microsoft has finally gotten the Linux religion. I mean, just last year Microsoft joined The Linux Foundation.
So with everything going so right with Linux why be concerned? Because now every hacker who’s really a hacker and not just some script-kiddie is coming after Linux and other open-source’s code, hunting for vulnerabilities.
True, as open-source leader Eric S. Raymond pointed out years ago in Linus’s Law, “Given enough eyeballs all bugs are shallow”. This is one of the key concepts that made Linux the success it is today and which empowers open-source software.
But it only works if there are enough eyes looking for bugs to fix the code. Estimates on the number of errors per thousand lines of code (KLOC) range from 15 to 50 errors per KLOC to three if the code is rigorously checked and tested. The Linux kernel alone now comes to over 16 million lines of code. Do the math.
When it comes to fixing problems quickly, Linux’s track-record is far superior to that of Apple, Microsoft, or any other proprietary software vendor. But let me do the numbers for you. That leaves at least not quite 3,000 bugs to find and fix.
There are many top Linux security developers and they’re busy hunting down these bugs. There are instructions on how to report bugs when you find them. But there are never enough programmers around to fix even the reported bugs.
At the same time, hackers have more reason than ever before to try to crack Linux. Irish developer Donncha O’Cearbhaill, who uncovered a pair of Ubuntu desktop bugs in 2016, reported he received an offer of more than $10,000 from an exploit vendor for these Apport bugs. “These financial motivators are only increasing as software gets more secure and bugs become more difficult to find,” he said.
That’s small potatoes. If someone finds, say, a Linux bug that could encrypt data on a server, we can easily see six-figure ransomware — malware that encrypts and scrambles data, allowing hackers to demand payment for the key — demands. A recent study from IBM Security suggests nearly 70 percent of business victims are already paying ransomware hackers to recover data.
With tremendous potential payouts, Linux will be subjected to more hacking attempts than even before. Linux has gained great power; now its developers and vendors must step forward and take the great responsibility to maintain its security.
Source | ZDNet