On 2003.05.06 10:06 Dustin Puryear wrote: > > You tend to write with a lot of hyperbole. :)
Ah yes, tending toward infinity. =:) > > Running X is hardly a small risk. Also, remember we are talking about > desktops here and not servers. Most Linux desktops, if not all, run X. And > a lot of X programs, including KDE, Gnome, and the applications built under > them have a proven track record of having vulnerabilities. As Linux > desktops become more popular this trend will continue. So I wouldn't term > the problem as a "small risk." Unfortunately, the problem here is simply > the abundance of complicated and non-audited code. That problem is just as > big in the open source world as in the closed source world. > > Ultimately, open source does have a [higher potential] for security in most > applications. The main reason for this is the ability for the community to > fix broken code. However, when it comes to the Linux desktop we are seeing > that we still have a long way to go. That was my entire point originally. > > Windows 2003 accepts logins via the serial port for administrative control > if this is what you mean? Also, you can control a lot of NT and Win2k > functions via telnet/SSH and scripts albeit not as well as you can a UNIX > system. No, what I mean is that the windows server installs a GUI, like it or not. If the GUI has holes, you are stuck firewalling them. If an intruder gets in behind your firewall, those holes are open. Because Microsoft likes backdoors such as windows update, this issue will not go away. > Unfortunately, from my experience a very large number of users log in as > root on their desktops. Under NT a lot of users give themselves > Administrator privileges and then run dangerous code. Same issue here. The > major problem in most situations is not so much the code as user education. Oh come on, users will be educated. Most installs walk the user through it and I'm sure you tell people why they should not do that. Is it possible to run Outlook or IE as anything but Admin? >>Extrapolating from a few DoS venerabilities in one or two projects is more >>hazardous than extrapolating from Microsoft's record of root exploits and >>internet destabilizing worms. > > Good thing that wasn't done here. Anyway, my point was that most open > source code has not had the benefit of a world of active eyeballs. And a > lot of code that is commonly used still hasn't had the rigorous testing > that is needed. Finally, the bad state of documentation of a lot of open > source contributes to problems, security-related and otherwise. (A recent > issue with Courier-MTA (a server application, I know) and a fellow LUG user > brings that to mind.) That being said, I personally do prefer open source > to closed source. > That was done here. A little bug in Ximian had you asking lots of strange questions. I've had fun hyperboling them and hope I'm not putting words into your mouth. You seem to be worried that the free software world, particularly on the desktop, is doomed to the same poor security that Windoze has suffered when you said, "It appears to me that the Linux desktop is quickly finding itself in the same position as the Windows desktop when it comes to security." In this message you assert, "the problem here is simply the abundance of complicated and non-audited code. That problem is just as big in the open source world as in the closed source world." Once again, I say bull. The vast choice of software available will keep this from being a problem until the code matures, even if we discount the benefits of more developers and peer review and distribution models. Let's imagine that someone makes a terrible KDE worm that works by email. It won't bother people who use other mail software such as Mozilla, Gnome, Mutt, Pine, Balsa and half a dozen trees. Of course we should not discount the other factors at work. The complexity you cite affects monoliths like Microsoft more than it affects free software which is well modularized. How do you eat an elephant? One bite at a time and ants do it best. You also seemed to blame the users for Microsoft security concerns and implied that it would happen the same way in the free software world when you said, "Microsoft has done well recently in issuing patches for vulnerabilities and bugs, but users typically don't apply them. Is the same going to be true for Linux users?" I pointed out that updating was much easier and more efficient under free software and that not even Microsoft can keep up using their methods. In this message you pointed to sloppy habits some people had carted from the windows world, and I pointed out that people will use the right methods if they are available. Then you asked us to compare the failure of Linux desktop security to that of Windows, "can we now compare the failure of the Linux desktop with the failure of the Windows desktop in terms of security as an apples to apples comparison?" That I did. I said that there had not been a free software desktop failure yet, just a few DoS attacks out on the bleeding edge. There are plenty of well tested tools in the free software world that can be used, whereas older software in the Windoze world is always full of holes. Has it gotten any better in doze land? I'm not going to say it's impossible to break into a free computer, but I will say that we will never see them abused like Microsoft computers have been. Free software documentation problems pale in compassion to closed source problems.
