I was thinking... (yeah: ouch!)
I recently read somewhere that Open Office and Linux and Mac have become increasingly popular targets for hackers, who sure are finding a lot of holes in them (witness the recent Apple browser beta fiasco).
As much as MS has been criticized for way too many security flaws over the years, its software offerings also have always been the main hacking targets mostly due to their huge installed base. After all these years of plugging security holes 24/7, though, MS is now a much more battle hardened company than it was in the beginning of the Personal Computer Age.. Linux, Mac and open source software on the other hand are just now gaining enough critical mass to become more appealing targets alongside Windows. And all of a sudden (and who would've thunk?), it seems that MS actually creates relatively safe software. Because of their long and painful walk through the fire, they may also well have a (charred) leg up on security on most other operating systems and software.
As Windows has become more and more secure and any new viruses are quickly identified and killed by its huge "ecosystem", it also provides a lower than before bang-for-the-bug -multiplier for hackers. My question to myself was, then: If I was a hacker, would I want to spend a lot of time trying to breach Windows and get a big "audience", or should I spend less time to breach a less battle hardened system, say, Linux, yet get a much smaller audience? If all that matters to me is the Impact (Havoc times the number of computers affected), does it really matter which way I should go? To figure it all out, I develepod a Hacker Equation . And here is my simplified Hacker Equation v. 1.0 rough draft (peppered with plenty of assumptions):
t/E = I
where
- E=Effort which is a function of S(c) -- where S=Security itself is a function of c= number of computers using the target software
- t=design, programming and testing time required for a desired impact
- I=Impact, which is a function of H*c -- H=Havoc and c=number of computers using the target software)
So, the expanded equation would look like this: t/S(c) = H*c
Let's say I want to create 100 units of Havoc and optimize my time. First, I'll consider a popular O/S "A", which has 1,000 users. To see how long it would take to create the desired Impact, we'll mess with the equation as follows:
t = (H*c)/S(c) --> t=(100*1000)/S(1000) --> t=100000/S(1000)
Suppose Security increases one unit per 100 users in a linear fashion -- in other words, for each 1,000 additional users it will be 10 times harder to create Havoc. And why would this be? Well, it would be because the more monkeys there are hammering on a system, the more resilient (secure) the system will become due to random attack and "attack-fix-attack-fix..." regression testing. Now the equation would look something like this:
t = 100,000/10 --> t=10,000 (units of time)
Let's take a less popular O/S "B", which has only 100 users. TTI (Time-to-Impact) would be:
t = (100*100)/S(100) --> t=10,000/1 --> t=10,000
Conclusion: Same amount of time is required to create a certain fixed amount of Havoc regardless of how popular the platform is.
The analysis: If a hacker realizes this, he/she will stop worrying about what the target platform of his Impact Effort should be, because it really doesn't matter. TTI is the same, no matter what the target platform is!
The reality: As it is, however, hackers do not use the Hacker Equation -- they rather gauge their potential impact based solely on the popularity of an target software, and hence Mac and Linux and OpenOffice etc. have been largely spared too many serious hacking attempts.
The Caveat: There is at least another "behavioral" variable I left out -- and that is "Hf" (the Headache factor). "The more you have to think, the more your head will hurt". And trying to attack a well protected system your Hf will go higher and higher until at some point you can't take it any more, and you are forced to switch your target to, say, Mac or Linux.
(Open for peer-review <g>)
Pertti
