Allan Dyer
In an open letter responding to a vnunet.com article that suggested Linux will be a target of virus writers, David F. Skoll has challenged anti-virus companies to infect his computer with a virus. His challenge is highly irresponsible - because viruses spread, their creator looses control over them. This is like someone in a city with no fire service claiming their house is fireproof and challenging people to burn it down. Maybe they are correct, but if they are not, the whole city burns. No anti-virus company will do this, and Mr. Skoll will claim a win by default.
Mr. Skoll 'debunks' three 'myths':
"Myth: Widespread use equals widespread abuse" - pointing to data of Apache vs. Microsoft webserver defacement as evidence. However, he later contradicts this when explaining why Linux viruses are unlikely, "a virus which exploits a software bug in Outlook is far more likely to propagate than one which exploits a software bug on a Linux e-mail client. This is simply because of the huge array of Linux e-mail clients in use" and, "On Linux, this is harder. There is no uniform way for a virus to read your address book".
"Myth: Linux is not a secure OS" - He then immediately contradicts himself by saying, 'In fact, no commodity OS is "secure".' In fact, I agree with his general sentiment - a default Linux installation is more secure than a default Windows installation. Additionally, while it is possible to improve security on both Linux and Windows systems, it is more likely that a randomly chosen Linux system will be more secure because a higher proportion of people setting up Linux machines are experienced and knowledgeable.
"Myth: It is easier to write viruses if you have the OS source code" - Here, he cites independent code audit as the advantage that makes open source more secure. True, but viruses do not need security bugs to spread - Melissa used perfectly normal Word macro capabilities. In order to create viruses, the writer needs a programming environment, for several years most of the prevalent viruses were Word Macro viruses because the necessary programming environment (Word Basic, or VBA) was installed free with Word. It is not the OS source code as such, but the detailed programming documentation that implies which is important. Mr. Skoll also asked why there are so few Linux and so many Windows viruses - this is the main point that he missed in the Vnunet.com article: Virus writers want to have the maximum effect, therefore they choose a popular platform. Linux is becoming more popular; therefore it will become more of a target for virus writers.
Mr. Skoll overreacts to the Vnunet article, but some of his claims are correct, in particular his analysis of why Linux viruses are (currently) unlikely. Also, he has a lot to learn about viruses - he should have rejected all of the virus entries to his challenge, even if they had tricked him, because they are not viruses - they do not replicate. If I was to take up the challenge, my approach would be to burn down the city - Mr. Skoll is obviously highly suspicious of anything he receives, so I would instead target open source developers that he already trusts, and might be receiving patches by email from them. Of course, it would be necessary to infect the patch before it was signed, by tricking the developer. There would be substantial collateral damage - every other user of the same software would also get infected when they installed the patches, and I would be thrown in jail for the damage caused, and rightly so. Given the small prize, $2000 Canadian, and that claiming the prize would be an admission of guilt, only the truly insane or stupid would do this for the prize.
That is Mr. Skoll's second challenge, unfortunately, he does not offer a prize for the first challenge: "If you have the courage and decency to do so, release products which block executable e-mail attachments". There would be a long queue claiming the prize if he did - most anti-virus gateway and content security products can do this (please contact us if you want to buy one). Many anti-virus companies specifically advise blocking executables and double-extensions (the Sophos SafeHex guidelines are one example), and wise organisations, such as AVIEN members and the Hong Kong Government are showing the success of that policy. I like Linux; it has many advantages, but total immunity to viruses is not one of them.