I am sure you’ve all heard the constant “Windows is less secure than Linux / Mac” or “Internet Explorer is less secure than Firefox” flamewars going back and forth. These statements may be true – this post is not about them. It’s about what I like to call the Popularity / Security Flaw Law. Simply stated: The more popular a product is, the more likely security flaws will be found in the product.

Simple Reason: Certain types of hackers (I use this word in the hack into systems sense as opposed to hack together code) hack so that they can become “famous”. Whether that fame is amongst a “l33t” group of people who like to replace letters with numbers, or headlining an episode of 60 minutes, it all comes down to recognition. And what better way to be recognised that to infect as many systems as possible. How do you infect as many systems as possible? You target the most popular pieces of software.

Slightly longer reason: Here’s a gross simplification, but simplifications make things easier to explain sometimes – There are two major cultures of hackers out there, the “fame” hacker culture (where people hack to show off / be known / be destructive), and the “information” hacker culture (where people hack to find out information / for the challenge) . They have different heroes – the “fame” people love / envy people like Onel A. de Guzmán, while the information people look to people like Mitnik. Both people like to think they are very intelligent (and in most cases they are). However, the ones the general public / media seem to be most fearful of are the “fame” hackers who could take down entire internet economies / destroy personal computers.

Security is a complicated issue. It’s not just as simple as installing System X instead of System Y. There are a multitude of other issues, such as passwords, social engineering, physical security, user knowledge etc – Security is a process, not a product – just ask Bruce Schneier. However, the one thing that will always drive the “fame” hackers is popularity – they want to infect as many people as possible. The more uneducated users  that they can get to run their exploit, the better (or even educated users – as I am sure there was a few system admins out there that thought that the cute guy/girl from the sales team loved them). Windows and IE have a large neophyte user base – but they are moving (with people installing Firefox on their friend’s machines / recommending Macs to go with their IPods etc), and with it comes a wave of potential exploits.

My Suggesiton – People who lead the direction for Apple, Linux and Firefox should be taking security seriously now. Don’t rest on the “Oh that only happens to Windows users” – otherwise you’ll be stung like Firefox was today (how bad this really is, is yet to show itself). At the moment, I think Microsoft’s marketing agency is taking security the most seriously out of anyone – we’ll have to wait till Vista picks up before we know if the programmers are up to it 🙂