David Pogue’s column uncovers the Big Lie about why UNIX-based systems are less attractive to mischief-makers. Hint: it has nothing to do with marketshare and everything to do with “given enough eyeballs, all bugs are shallow.”
Evidently, I’m not the only columnist to have fallen for this old myth; read another writer’s more technical apology. But the conclusion is clear: Linux and Mac OS X aren’t just more secure because fewer people use them. They’re also much harder to crack right out of the box.
“Many orders of magnitude more people look over the source code for OS X and the related BSDs than have access to Windows source code,” said John Klos, a developer of NetBSD, a flavor of Unix closely related to OS X.
Thus, many of the obvious holes in OS X were closed years ago. That, some suggested, actually makes OS X a more attractive target.
“If I were a fame-driven cracker with solid technical skills, cracking a BSD-based system would be the fastest way to show off my capabilities,” said Rich Morin, a programmer and consultant based in San Bruno, Calif.
“My suspicion, therefore, is that many crackers have tried this challenge and failed,” Morin added. Still, he cautioned “nobody has any way to know for sure.”
It is hard to understand how no one has exploited anything in a massively disruptive way, like the various Outlook worms, given that any buffer overflows or other potential exploits are openly available, until you stop to think how many people how been in the source code and how likely they are to practice defensive programming as a matter of course.