OSNews

Do as I say not as I do.

You're equating Cox's battery exploding with open source security? Thanks for that startling insight.

What's next listening to Linus Torvalds about License making ...There is a reason why its called GNU/Linux , because Linux with LT license failed.

Nothing like erecting a strawman and knocking it down.

I wonder whose job it is to exactly name them and explain how he think they might be more secure ... Oh yes that's Alan Cox jobs.

He's right. That trumps any questions regarding his authority.

Its a fact , it dont mean its unbreakable , just that its better at security. As something to do with being able to look at the code for security analysis.

You're dreaming. http://news.com.com/2100-1009-5063683.html

The best way for full security is if you have full access to source code for full independant multiple security review , OH WAIT , no !! according to him and is ilk its OK that TIVO closed running access with hardware and dont say how they do it.

Irrelevant. Do try to stay on topic.

What's next Mr. Cox , we should all switch to BSD and windows because your incompetant in security , and wait for you to say its now entirely secure.

Wow, personal attacks. Do yourself a favor and go see a shrink. Your self-esteem is apparently as withered as the Grinch's heart.

Kernel developper should stick to devlopping the kernel ...

Rrrrrrright -- and Einstein should have stayed a patent clerk, right?

You will excuse me , will I just decide to disagree with your entire comment

You will excuse us if we say, "Well, what a surprise".

and pass on responding to it.

Erm, except you didn't.

Why would Alan Cox not be qualified to talk about the relative security of the Linux kernel? He's one of Linus's right-hand men, and generally involved in the OSS world.

Anyway, I think you missed the subtle difference between Alan Cox saying that Linux is insecure, and Alan Cox saying Linux is dangerously insecure.

I'm fairly sure he meant the former, to counter all the opinions of people who think that Linux never has bugs and is unhackable- which we both know isn't true.

Dont take my comments too seriously.

Don't mind if I don't!

It would be nice if the replies to the senseless troll were also modded down...

<quote>Why do you whant to be modded down ?</quote>

It's next to impossible to get any useful information from responses without knowing what most people are responding to. People cherry pick comments and sometimes post them in their respose, but you don't get a good idea of the original context the quote was used.

What's next Mr. Cox , we should all switch to BSD and windows because your incompetant in security , and wait for you to say its now entirely secure.

Wow, personal attacks. Do yourself a favor and go see a shrink. Your self-esteem is apparently as withered as the Grinch's heart.

Way to rise above those personal attacks. Nicely done.

You're not worse than the original poster.

Security must be designed in from the start, must be rigorously tested, and must be verified. Otherwise it's worthless.

He rattled the OSS fundies' cage.

Open Source, like closed source, has some downfalls.

News at 11.

And how we all must be rattling your cage. No "OSS fundie" is saying, "NO!! That CAN'T be true! That's IMPOSSIBLE!"

That's a job we leave to Windows fanboys.

I touched a nerve, eh?

Not very much rattling in my case but more like a good chuckle.

"think SELinux; But, what is that's worth if nobody is using the feature?"

Bingo. Once security "features" become to much of a pain in the ass to implement, they will be circumvented. This is absolutely true of not only end-users but sysadmins as well.

Bingo. Once security "features" become to much of a pain in the ass to implement, they will be circumvented. This is absolutely true of not only end-users but sysadmins as well.

I think that says everything about my relationship with Norton on Windows.

I am a sysadmin, and I do have SELinux disabled on most internal servers.

I should do more research on it, understand how it functions better, and implement it.

Will I ever get the time? Probably not or will just forget about it.

Do you think you'll "ever get the time" to recover the losses once you're hacked? How about the losses to others due to your incompetence/ineptitude? Have any personal data on your internal servers?

Caught a clue yet?

Do you think you'll "ever get the time" to recover the losses once you're hacked? How about the losses to others due to your incompetence/ineptitude? Have any personal data on your internal servers?

Caught a clue yet?

Yes, he does, or at least his comment was written as such. I can only say for my self on this, I'm guilty as charged too.

To be truthful, SELinux is a blank spot for me. Ok, I've written a policy or two (nothing special, but in reality very time consuming, although in that time I haven't known about http://seedit.sourceforge.net/ and there was no gui helpers as they exist in FC6 now), I try to run my servers with SELinux enabled (except in some cases, where the reason for server doesn't work with SELinux). But, do I really know what SELinux is? Nope, I often catch my self avoiding the problem by the measure of "the easiest" instead "the best" approach. And this is the point I'm not really proud.

There simply is not enough time to know all. But, maybe now that more friendly tools are at hand will be a better time for SELinux.

So have you ever tried AppArmor?

Yes, AppArmor is great. That doesn't change the fact almost nobody is using it though. I hope that is changing.

For example: How many Linux users are restricting their Firefox' access their personal/company documents, thus mitigating data disclosure if future Firefox bugs are exploited? 0.01%? How many should? 100%.

I may be wrong but I believe that the remark about complaceny in the osnews comments referred to the blatant "linux is secure because there are no viruses" / "linux is secure because it's not windows" attitude seen in comments. That is definitely not a dumb comment, in fact it's quite true.

I may be wrong but I believe that the remark about complaceny in the osnews comments referred to the blatant "linux is secure because there are no viruses" / "linux is secure because it's not windows" attitude seen in comments

You must be wrong then. The most comments are not complacency at all, but more answers to blatant "Windows is as or more secure than Linux" attitude. These comments then says Linux is more secure than Windows, but sure enough never says Linux is more secure than anything, is absolutely secure, is secure because there are no viruses, is secure because it's not Windows, or is more secure than OpenBSD.
That you believe the strawman here is your problem actually.

That is definitely not a dumb comment, in fact it's quite true

It's dumb and quite wrong. People who would say things like this one are so clueless they couldn't do anything about the security of their OS anyway.
Fortunately, if these people say this, it is because they have no security problems on their Linux box, compared to every Windows box they've known, which is thanks to the fact that distros do the right thing, and so already follow the policy that A. Cox reminds us of.

So there is actually nothing negative said about Linux community or Linux itself by A. Cox, except in this really dumb comment and in your post (and several others).

I have two words for you: Firefox. Adblock.

With plenty of root exploits user level protection can't be effective. On any machine with recent non-beta nvidia driver a malware is able to get root access through a known exploit.

There are other reasons for lack of malware on linux (besides user level right restrictions):

Fragmentation - exploit won't for sure work on 90% linux machines ou there, compared to windows situation.

Users - Linux users are often power users (users with needed tech skills &/or system understanding) which know how ot avoid getting infected and can protect their machine). Same goes for windows power users, but they are a very small minority. Let's face it, an user running linux most often even wouldn't try to execute "britney.sh" file.

Market share - u"nderground" professionals doing spamcollection/dialer/scam malware still aren't interested in Linux.

Market share - u"nderground" professionals doing spamcollection/dialer/scam malware still aren't interested in Linux.

They run it themselves?

A virusscanner is better then nothing although i prefer SELinux,AppArmor or RSBAC or both a virusscanner and a mandatory access controll mechanism.

The "good guys" are running per defition behind the "bad" guys.

What if a hole in clamav (popular *nix virusscanner) is exploited via any popular web-browser?
On Fedora clamav amongst a lot more deamons/apps is protected by SELinux.This decreases the people who are still capable of crafting something malignant.

Security is not just about software, part of that process is documenting what that software and hardware does. Do you have documentation on the configuration of every server you have? Are all of your machines built in exactly the same fashion and is that documented so if you get hit by a truck, your replacement can take over where you left off?

I am in the process of creating documentation for where I work and this is where you start to find out about the weak points in your security. Do you keep track of which releases of software are installed on your machines, which OS versions and updates are deployed, favorite compile options, etc. Do you know what your application administrators are doing to the systems and why, and are they documenting their changes?

Locking down a system and applying patches and updates is one part of the overall security process.

All Linux users should be aware of these key terms:

* Trusted software source
* Limited user account
* Spam Blocker
* Anti Virus
* Firefox 2
* Firewall
* Sudo/Su
* MAC


Anti-virus is as of yet pretty useless on Linux unless there is Wine installed. And I don't see why you added Firefox 2 in that list. There are other browsers too. And there just ain't yet much experience of Firefox 2, so I don't know anything about it's security. Besides, I'm not even gonna try it anyway, I dislike Firefox..MAC means MAC address of your network interfaces? Or? And as to firewall, it'd be better to disable all unwanted services rather than just block access to them from outside, ie. fix the problem, not the result.

EDIT: Btw, I just thought to mention here that I do run a few services on my box, like a mail, www and ssh server. I know I probably should use SELinux, but I just don't know anything about it or what kinds of problems to expect. Besides, as far as I know, enabling it would require complete reinstallation of my Gentoo.

Edited 2006-10-27 19:20

MAC was most likely referring to Mandatory Access Control, which RedHat/Fedora enables by default (SELinux) as well as SuSE (AppArmor)... those are both implementations of MAC.

It is my opinion that any open source software has the potential to be exponentially more secure than any closed source code.

There are certainly very secure proprietary systems, such as many mission (and life) critical systems. So I don´t think that any open source project can be exponentially more secure than proprietary ones - but on average they have the potential to be more secure.

There's a commitment to quality, but I'll tell you from a manufacturing background that when push gets to shove quality will take a backseat more often than not.

Well, if security & quality is important enough to customers, proprietary software can be very secure too. But I admit, that this is to seldom not the case.

As for open source projects, the critical factor, is that the project can attract the necessary community to be able to realize the effect of "many eyes" (many of the popular high-interest OSS projects, has certainly attracted the right crowd of security-conscious people).

I don´t disagree, that OSS can be very secure (and often it is). But the most secure proprietary systems can compete with the most secure OSS projects.

Rather than seeing OSS as the only way to develop very secure software, I see the advantage in OSS, that it increases the likelihood of the product being developed in a secure fashion.

That alone is a very good reason to push OSS. But there is no deterministic relationship between development model and security level.

I agree with you and see your point on secure proprietary systems having the potential of being as secure as OSS. Maybe using the term "exponentially" wasn't quite right. But I saw it as OSS isn't looking to turn a buck, therefore the community surrounding it should be more open to produce the best product they can since it is really their names and reputations on the line when developing for the product. I also agree with another poster in one of the above posts that "secure" software is only one piece of the security spectrum.

I suppose I really see OSS as the ultimate push for development of ideas and innovation. Like Mozilla Firefox forced MS to release a better product in IE (regardless of which brand you wave the flag for). And like the emergence/dominance of foreign cars in America that forced the domestic companies to produce a better product. As long as you have OSS on equal footing with pay services, or software; the product should only get better. It's competiton that drives innovation, because innovation is usually expensive. Innovation is typically better for the consumer.

I do think OSS still has the ability of being more adept at incorporating new ideas and change, either for security sake or any other part of the overall system. And it's that speed and ability to change quickly that would make it much more of a viable alternative to any propretary system.