Security: FOSS software have been found to be more secure than proprietary software.
Computer viruses are overwhelmingly more prevalent on Windows than any other system
Virus infection has been a major cost to users of Microsoft Windows. The LoveLetter virus alone is estimated to have cost $960 million in direct costs and $7.7 billion in lost productivity. The anti-virus software industry sales total nearly $1 billion annually. Dr Nic Peeling and Dr Julian Satchell’s Analysis of the Impact of Open Source Software includes an analysis of the various data sources for virus counts, noting the disproportionate vulnerability of Windows systems. Here is what they said:
A simpler explanation on the disproportionate vulnerability of Microsoft products to viruses, and one that is easily proven, is that Microsoft has made many design choices over many years in their products that have rendered them fundamentally less secure, and this has made their products a much easier target than many other systems. Even Microsoft’s Craig Mundie admitted that their products were “less secure than they could have been” because they were “designing with features in mind rather than security” -- even though most people didn’t use those new features. Examples include executing start-up macros in Word (even though users routinely view documents developed by untrustworthy sources), executing attachments in Outlook, and the lack of write protection on system directories in Windows 3.1/95/98.
In contrast, while it’s possible to write a virus for OSS/FS operating systems, their design makes it more difficult for viruses to spread... showing that Microsoft’s design decisions were not inevitable. It appears that OSS/FS developers tend to select design choices that limit the damage of viruses, probably in part because their code is subject to public inspection and comment (and ridicule, if deserving of it). For example, OSS/FS programs generally do not support attacker-controlled start-up macros, nor do they usually support easy execution of mail attachments from attackers. Also, leading OSS/FS operating systems (such as GNU/Linux and the *BSDs) have always had write protection on system directories, making it more difficult for certain attacks to spread. Another discussion on why viruses don’t seem to significantly affect OSS/FS systems is available from Roaring Penguin. OSS/FS systems are not immune to malicious code, but they are certainly more resistant.
Surveys report that GNU/Linux systems experience fewer viruses and successful cracks: In July 2004, Evans Data’s Summer 2004 Linux Development Survey reported that 92% of their Linux systems have never been infected with a virus, and 78% that their Linux systems have never been cracked (called “hacked” in the report). This contrasts with their Spring 2004 survey, where only 40% non-Linux users reported no security breach; indeed, 32% non-Linux users experienced three or more breaches.
According to a June 2004 study by Sandvine, 80% of all spam is sent by infected Windows PCs. 80% of all spam comes from computers contaminated with Trojan horse infections, according to a study by network management firm Sandvine. Trojans and worms with back-door components turn infected PCs into drones in vast networks of compromised zombie PCs. Sandvine identified subscribers bypassing their home mail servers and contacting many mail servers within a short period of time over sustained periods - i.e., spammers. It also looked at SMTP error messages returned to clarify the total volume of spam. They then compared this with the messages passing through the service provider’s mail system.
Sandvine’s preliminary analysis has shown that the most active Trojans for spamming purposes are the Migmaf and SoBig variants; note that these are Windows-only attacks. Indeed, since almost all successful trojans and worms are those that attack Windows systems, it appears that this problem is essentially due to Windows systems.
National Cyber Security Alliance’s study of May 2003 reported that 91% of Broadband users have spyware on their home computers running proprietary operating systems; in contrast, there’s no evidence that this is an issue for OSS/FS systems. America Online, Inc. conducted a study for the National Cyber Security Alliance. Its results, “Fast and Present Danger: In-Home Study on Broadband Security among American Consumers” (May 2003) produces some interesting results, in particular, they found that “91% of Broadband Users Have Spyware Lurking on Home Computers”. Their study method did not appear to permit collection of data from OSS/FS systems, and spyware systems are essentially nonexistent on OSS/FS systems anyway.
Microsoft has had far more vulnerabilities than anyone else, according to SecurityTracker. The paper SecurityTracker Statistics (March 2002) analyzes vulnerabilities from April 2001 through March 2002. They identified 1595 vulnerability reports, covering 1175 products from 700 vendors. Their analysis found that Microsoft had more vulnerabilities than anyone else (187, or 11.7% of all vulnerabilities), and more than four times the next vendor. The next largest were Sun (42, 2.6% of the total), HP (40, 2.5%), and IBM (40, 2.5%). Solely OSS/FS vendors did much better: the Apache Software Foundation had 13 (0.8% of the total), and Red Hat had 10 (0.6% of the total). It can be argued that Microsoft sells more kinds of software than most other vendors, but this is nevertheless an astonishingly large number of vulnerabilities. The gap between Microsoft and everyone else widened during the second half of the year, which is even scarier.
References
David, A. (2007). Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers! Retrieved from http://www.dwheeler.com/oss_fs_why.html
Other important sources
Robert, C & Richard C. (2004) . Free and Open Source Software. Overview and Preliminary Guidelines for the Government of Canada. Retrieved from www.sita.co.za/FOSS/Gov_Canada-OSS_Guide-Dec04.pdf
Allen, G. (2008). Good to Great FOSS: Learnings from Africa . Retrieved from www.aspirationtech.org/files/GoodToGreatFOSS-LearningsFromAfrica.pdf
Kenneth, W.(2004). Free/Open Source Software: Government Policy. Retrieved from http://www.sita.co.za/FOSS/Gov-OSS_Guide-04.pdf
Virus infection has been a major cost to users of Microsoft Windows. The LoveLetter virus alone is estimated to have cost $960 million in direct costs and $7.7 billion in lost productivity. The anti-virus software industry sales total nearly $1 billion annually. Dr Nic Peeling and Dr Julian Satchell’s Analysis of the Impact of Open Source Software includes an analysis of the various data sources for virus counts, noting the disproportionate vulnerability of Windows systems. Here is what they said:
- "The numbers differ in detail, but all sources agree that computer viruses are overwhelmingly more prevalent on Windows than any other system. There are about 60,000 viruses known for Windows, 40 or so for the Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux. Most of the Windows viruses are not important, but many hundreds have caused widespread damage. Two or three of the Macintosh viruses were widespread enough to be of importance. None of the UNIX or Linux viruses became widespread - most were confined to the laboratory."
A simpler explanation on the disproportionate vulnerability of Microsoft products to viruses, and one that is easily proven, is that Microsoft has made many design choices over many years in their products that have rendered them fundamentally less secure, and this has made their products a much easier target than many other systems. Even Microsoft’s Craig Mundie admitted that their products were “less secure than they could have been” because they were “designing with features in mind rather than security” -- even though most people didn’t use those new features. Examples include executing start-up macros in Word (even though users routinely view documents developed by untrustworthy sources), executing attachments in Outlook, and the lack of write protection on system directories in Windows 3.1/95/98.
In contrast, while it’s possible to write a virus for OSS/FS operating systems, their design makes it more difficult for viruses to spread... showing that Microsoft’s design decisions were not inevitable. It appears that OSS/FS developers tend to select design choices that limit the damage of viruses, probably in part because their code is subject to public inspection and comment (and ridicule, if deserving of it). For example, OSS/FS programs generally do not support attacker-controlled start-up macros, nor do they usually support easy execution of mail attachments from attackers. Also, leading OSS/FS operating systems (such as GNU/Linux and the *BSDs) have always had write protection on system directories, making it more difficult for certain attacks to spread. Another discussion on why viruses don’t seem to significantly affect OSS/FS systems is available from Roaring Penguin. OSS/FS systems are not immune to malicious code, but they are certainly more resistant.
Surveys report that GNU/Linux systems experience fewer viruses and successful cracks: In July 2004, Evans Data’s Summer 2004 Linux Development Survey reported that 92% of their Linux systems have never been infected with a virus, and 78% that their Linux systems have never been cracked (called “hacked” in the report). This contrasts with their Spring 2004 survey, where only 40% non-Linux users reported no security breach; indeed, 32% non-Linux users experienced three or more breaches.
According to a June 2004 study by Sandvine, 80% of all spam is sent by infected Windows PCs. 80% of all spam comes from computers contaminated with Trojan horse infections, according to a study by network management firm Sandvine. Trojans and worms with back-door components turn infected PCs into drones in vast networks of compromised zombie PCs. Sandvine identified subscribers bypassing their home mail servers and contacting many mail servers within a short period of time over sustained periods - i.e., spammers. It also looked at SMTP error messages returned to clarify the total volume of spam. They then compared this with the messages passing through the service provider’s mail system.
Sandvine’s preliminary analysis has shown that the most active Trojans for spamming purposes are the Migmaf and SoBig variants; note that these are Windows-only attacks. Indeed, since almost all successful trojans and worms are those that attack Windows systems, it appears that this problem is essentially due to Windows systems.
National Cyber Security Alliance’s study of May 2003 reported that 91% of Broadband users have spyware on their home computers running proprietary operating systems; in contrast, there’s no evidence that this is an issue for OSS/FS systems. America Online, Inc. conducted a study for the National Cyber Security Alliance. Its results, “Fast and Present Danger: In-Home Study on Broadband Security among American Consumers” (May 2003) produces some interesting results, in particular, they found that “91% of Broadband Users Have Spyware Lurking on Home Computers”. Their study method did not appear to permit collection of data from OSS/FS systems, and spyware systems are essentially nonexistent on OSS/FS systems anyway.
Microsoft has had far more vulnerabilities than anyone else, according to SecurityTracker. The paper SecurityTracker Statistics (March 2002) analyzes vulnerabilities from April 2001 through March 2002. They identified 1595 vulnerability reports, covering 1175 products from 700 vendors. Their analysis found that Microsoft had more vulnerabilities than anyone else (187, or 11.7% of all vulnerabilities), and more than four times the next vendor. The next largest were Sun (42, 2.6% of the total), HP (40, 2.5%), and IBM (40, 2.5%). Solely OSS/FS vendors did much better: the Apache Software Foundation had 13 (0.8% of the total), and Red Hat had 10 (0.6% of the total). It can be argued that Microsoft sells more kinds of software than most other vendors, but this is nevertheless an astonishingly large number of vulnerabilities. The gap between Microsoft and everyone else widened during the second half of the year, which is even scarier.
References
David, A. (2007). Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers! Retrieved from http://www.dwheeler.com/oss_fs_why.html
Other important sources
Robert, C & Richard C. (2004) . Free and Open Source Software. Overview and Preliminary Guidelines for the Government of Canada. Retrieved from www.sita.co.za/FOSS/Gov_Canada-OSS_Guide-Dec04.pdf
Allen, G. (2008). Good to Great FOSS: Learnings from Africa . Retrieved from www.aspirationtech.org/files/GoodToGreatFOSS-LearningsFromAfrica.pdf
Kenneth, W.(2004). Free/Open Source Software: Government Policy. Retrieved from http://www.sita.co.za/FOSS/Gov-OSS_Guide-04.pdf