As noted by CERT in its overview of security on the Internet (in the early days known as ARPANET), security was not a concern because "ARPANET users comprised a small group of people who generally knew and trusted each other." The folly of this trust was revealed in 1988 when the Unix-based Morris Internet worm struck, affecting as much as 10% of the Unix user-base, a much larger percentage of users than Sobig, Blaster, and Slammer combined. A year later, Cliff Stoll described the discovery of a hacking campaign that had resulted in wide infiltration of military and government compuers, again on non-Microsoft systems. In fact, according to CERT, this prompted Stoll to caution in his 1989 book, The Cuckoo's Egg, that "the ARPANET could be used for destructive purposes."
The creators of the Internetdesigned a mediumideally suited for the transmission of malicious code. This is not to imply that its inventors deliberately made it the ideal vector for malware, but rather to say that the very things that make the Internet work are the very things that make viruses easy to transmit.Combined with the fact that security was overlooked, ignored, or simply not understood by DARPA, NSF, NASA, MIT, and others involved with earlyInternettechnology, one has to wonder how and why this innate fallibility of the Internet has been laid on Microsoft's shoulders.
OpenBSD, a popular Unix-based OS, has had 18 security advisories issued for it in the past 9 months. That's 2 issues per month for a single product. Ironically, they pledge to be number one in the industry for security. Microsoft, with its multitude of products, has released only 39 advisories in the past 9 months. CERT has issued 26 advisories so far in 2003, yet only 11 of those pertain to Microsoft products. Clearly, security vulnerabilities are equal opportunists, thus the argument that somehow Microsoft has more flaws than most is much like the media's interpretation of what constitutes a "massive" worm. When one actually focuses their perspective on the number of products vs. the number of actual flaws, and compares that to the rest of the industry, suddenly Microsoft looks like a huge success on the security front.
Microsoft sits in the limelight simply because they have the highest percentage of overall users. If those userswere to shift to another operating system, an historical look at vulnerabilities demonstrates that the malware, and its impact, will shift as well.
Perhaps the biggest question we should be asking is: Why are critical infrastructures, government agencies, banks, and novice users hooking themselves up to a medium clearly unsecure and that has historically led to compromise and malware regardless of the operating system used?
Just as those North Beach surfers in the ocean know, when you surf the Internet, there might be sharks. And it's not because of Microsoft.
