Security vs. popularity

Security is not obscurity. Popularity is not the only reason MS Windows is so poorly secured in general use. Maybe. Chad Perrin explains why this might be.

Security is not obscurity. Popularity is not the only reason MS Windows is so poorly secured in general use. Maybe.

One idea in particular keeps coming up in discussions amongst IT professionals and software partisans: that the popularity of a piece of software is inversely correlated with its security. The assumption is that greater popularity of a piece of software makes it a more tempting target, and being a more tempting target makes it less secure.

There is some truth in that idea, but not nearly as much as many people think. If all else is equal, the more-popular software will be compromised first. On the other hand, all else is not equal, and being first is not necessarily the same as being only:

  • After the most popular piece of software is targeted, the next-most popular will also be targeted, if it has enough of an installation base to make it worthwhile to compromise.
  • It does not take much, in terms of market share percentage, for a piece of software to be popular enough to attack. For the most widely used types of software, a single percentage point can mean millions of deployments.
  • Software that is used on more high-value targets will be targeted first, all else being equal. That software is usually not the most popular software.
  • Software that can be used best as a staging ground for attacking other systems will be targeted first, all else being equal, if for no other reason than the fact that it widens the scope of the attack on more popular software.
  • The second most popular Web server software is far less secure in practice than the most popular Web server software.

All of this adds up to evidence and reasoning that contradicts the notion that popularity is the proximate cause of a poor security record. The last of these five points is, in fact, a direct counterexample of the idea, so that even making claims of causes -- based on nothing but correlations -- does not support the argument, despite the fact that is the entire argument. Correlation does not imply causation.

There is, however, another way to look at the relationship between popularity and security. While popularity is not the proximate cause of a poor security record, it might have some influence on that security record.

The influence is not, for the most part, because of attracting evildoers to attack the more popular system. If it is also a very well-secured system in the vast majority of deployments, it will provide a difficult enough challenge that many malicious security crackers (especially those who do not target millions of victims at a time) will choose other targets that are less popular but easier to crack.

The influence of popularity has an effect on security through the roundabout effects of a large user base on the way the system is designed. As more people clamor for particular features and interface changes, developers are under increasing pressure to appease those people's demands. Doing so can easily lead to ill-considered security design decisions, out of control growth of complexity, and development mistakes. This is how poorly secured bloatware generally comes to be.

Microsoft Windows is the most popular end-user, general purpose operating system in the world. Depending on who you ask, and what assumptions you make about how such things are counted, Apple MacOS X is the second most popular. Canonical's Ubuntu Linux is arguably third, if a guess is needed. Interestingly, that is also the order in which we could rank their security problems.

  • Microsoft Windows has an atrocious record for dealing with vulnerabilities. It also uses a deeply security-unconscious architecture, and is built on the philosophy that "more is more" -- far from a minimalist "less is more" philosophy that recognizes the connection between simplicity and security. These and other difficulties result in a design that simply begs to be compromised. While a number of security focused initiatives have been undertaken to turn the poor security reputation of Microsoft around, many relentlessly bad security policies coupled with certain realities of featuritis and other lack-of-design features add up to a losing battle.
  • Apple MacOS X is built on a much stronger core architecture, including a microkernel, a primarily BSD Unix userland beneath the GUI, and an innovative high-level API taken straight from '90s acquisition NeXT Software. Despite all this, Apple's strict policies -- bordering on "control freak" in some cases, and willful ignorance in others -- conspire to undermine that foundation and infect Mac OS X with poor security characteristics. One symptom of this is the unconscionably slow response to security vulnerabilities, in many cases actually making MS Windows patching policy look good by comparison.
  • Finally, Canonical's Ubuntu Linux is, with every release, rapidly approaching the sort of bloat we have come to expect and loathe from Microsoft's flagship operating system. At least in part because it primarily relies on open source software developed outside of Canonical, and benefits from the often better security policies of those outside projects, Ubuntu does not suffer the same rate of creeping corruption of security that afflicts Mac OS X. That creeping corruption is still an ongoing problem, however. Ever-more bloat, ever-tighter coupling between system components, and increasing focus on superficial end user enticements as a higher priority than good system design: these things lead to a system that resembles its more popular, less well secured competitors, more and more all the time.

By contrast, consider the case of some less-popular operating systems that have, to some extent, remained unpopular because of their focus on correct design decisions, security conscious maintenance, and keeping the system reasonably lean and stable. Among these operating systems are:

  • More technically oriented Linux distributions like Debian and Slackware
  • The "popular" BSD Unix system, FreeBSD
  • The most security conscious BSD Unix systems -- correctness obsessed NetBSD and security auditing obsessed OpenBSD

That is, in fact, arguably the order of these systems from least secure to most secure, as well as from most popular to least popular. It correlates very strongly with their level of disdain for the most widespread popularity where it conflicts at all with good system design. Even the least popular among them have millions of users around the world, in one capacity or another, and would thus be quite worthy targets for malicious security crackers. In fact, the tendency for those on the more-secure end of that spectrum is to be used for public-facing servers, thus also making them on average higher value targets, on a case by case basis. Despite all this, their security records are much more admirable than those of MS Windows, Apple MacOS X, and Ubuntu Linux.

Popularity does not correlate with the failure of real security just because malicious security crackers avoid the second- and third-most popular options. It does, however, correlate well with the failure of real security when that popularity produces social pressures that undermine the security of system design and maintenance.