On Fri, 6 Nov 2015, Patrick J. Timlick wrote: > An interesting account of the controversy surrounding Linux security. > Where does PLUG weigh in on security vs speed and ease of use? Is our > friend and neighbor Linus right or should we go with less famous "security > experts"?
From my position as a non-computer professional end user of linux since 1997 I think they're both correct ... from deterrent points of view. The two recent vulnerabilities/exploitations of 'Net back-office tools (heartbleed and the other mentioned) were, if I recall correctly, related to bind. Bind is an essential utility but not part of the kernel. Part of GNU Linux (and similar systems, I'm sure), but not in the kernel. This, perhaps, gives one point to Linus. From everything I read the greatest vulnerabilities and exploitations come from the carbonware portion of the computing corpus: - Weak passwords. - Accounts payable clerks who accept e-mails seeming to come from their bosses to wire transfer thousands of dollars to off-shore accounts without verifying that the request is real. - Outdated, not upgraded applications such as PCAnywhere on parking lot and car wash POS systems that are compromised because the POS system providers do not upgrade the remote access tools and the folks who run the parking lots and car washes are ignorant and not expected to manage the POS systems they use. - ATM and other POS exploitations based on insufficient security and (if I correctly interpret the reports) Windows vulnerabilities across almost every retailer chain. Give Linus a second point. On the other side, there are known potential weaknesses in the kernel and the argument that adding security at the cost of some slowness in response is unacceptable is equivalent to claiming that putting kids in secure car seats and the driver using a seat belt is unacceptable because it delays going to the grocery store. While it seems that for too many people instant gratification is no longer quick enough (see Amazon's promise to deliver what you order as soon as you pay for it), as a society we need to accept the cost of added security on the Internet just as we accept a delay by locking the doors to our houses and apartments (a major production involving multiple locks in cities such as New York.) Score a point for the 'crazy' security experts. Ideally, we'd work on both aspects. Train humans to be more security conscious in their use of computers (similar to pushing water uphill) while adding two-factor authentication more broadly and adding additional kernel and utility security even at the cost of slower response time. Rich _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
