“When the hordes of volunteer programmers who make up the open-source movement met this week for their annual convention in San Diego, one constituency was conspicuously absent: entrepreneurs. Many start-ups that tried to make money from open-source software have already gone bust, and many of those that have survived are in a sorry state.” The Linux kernel is not anymore just the hacker’s kernel, hacking code in his bedroom. Most of the work these days is done by big companies like Red Hat, IBM, Mandrake and even Sun. The Economist comments on the subject.
SGI is the only reason I’d consider using Linux. Thanks to them Linux has XFS, and will soon have a POSIX4 realtime implementation which surpasses that of FreeBSD.
“Microsoft is leading an increasingly nasty campaign against programs such as Linux, the free operating system, and has even been putting it about that such programs make it easier for terrorists to hack into computers.”
Okay this is getting pretty stupid, now terror is an analog with open source.
Your point being?
After thinking about it for a few seconds, Linux probably does make it easier for crackers to gain illegal access to certain computers.
However, their recent classification as “terrorists” is an issue broader than the scope of this venue, I believe, so I’ll avoid some of the cultural and political aspects of the supposition and try to stick to the technical.
Let’s say that they didn’t have a Linux computer. What if they only had a voltmeter, a watch battery, and a stopwatch, now, wouldn’t it be HARDER for them to attack certain computers?
Of course, they might be able to easily attack the average computer running the Windows program with the lesser equipment but that’s not the point.
Microsoft also issues statements like; “Designed for C2 security” or “Designed for 99.999% uptime”. Note that the fact that the products do not ACHIEVE what they were designed for, does not necessarily make those original statements untrue.
My favorite was the one something like; “Normally in the middle of this page would appear some major hype and blah, blah, blah”. My reaction, of course, was; “What incredibly truthful advertising, that’s exactly what normally appears in Microsoft ads!”
Geez, they are so good at saying one thing, while making some think something they never said.
Sure Linux makes it easier for crackers, so would Interix (a Microsoft product), so would *BSD, Unixware, Solaris, Mach Ten, NeXT (basically many things non-Microsoft until they included that raw sockets thing in XP, a me-too move if I’ve ever seen one, “oh we have the letter ‘X’ in the name now too”, gag me with a spoon).
If a cracker wants to attack a computer running a REAL operating system, like those that primarily comprise the internet, it’s probably a lot easier if he/she is running one too. This is not suggest it may be “easy”, just that it’s likely to be “easier”.
On the other side of the coin, Linux makes it easier for banks to have a secure environment for transactions, it makes it easier for NASA to design space missions. You’re not going to find Microsoft letting some of those little tidbits known, are you?
Okay now on to the cultural and political speculation.
Would you be willing to venture a guess that Microsoft may be attempting to lay the groundwork for a campaign to criminalize the use of non-Microsoft products by leveraging the ignorance of politicians on their payroll?
So what. I mean, Apple, Microsoft and similar companies only knew how to do one thing form the beginning: build a better GUI. That is all.
. Resistance is futile. Unix will eventually have a Microsoft implementation too … Unfortunately that is …
They have done what I think is the best thing that any company can do. Hire open source developers and PAY THEM TO CONTINUE TO WORK ON THEIR PROJECTS. All those people who think that ink jet carts are too expensive should realise that the next release of samba (thats right, he works for HP) might not have been possible otherwise.
After thinking about it for a few seconds, Linux probably does make it easier for crackers to gain illegal access to certain computers.
How many times we need to repeat that: security thru obscurity ISN’T security.
Open source is better from a security POV, just look at the number of holes in OpenBSD, and then look at Windows, or even any commercial *nix like Solaris, Aix, etc.
OSS doesn’t warrantee better security, but encourages it, and if there is a security problem, makes it easier to get protection from it(how many people have been waiting for months for security fixes from MS? There are still 20(!) unpatched vulnerabilities in IE( http://www.pivx.com/larholm/unpatched/ )! how many people is running WinNT that isn’t even supported by MS any more? There are many people with 2.0.x Linux boxes that work fine and are still well supported *because* it’s open source)
Hope this counters a bit the FUD…
\K
One can take a look around and find open source operating systems and open source applications that are not anywhere near as secure as NT or other Microsoft apps.
Perhaps one should say that POPULAR and “well-supported by the community” Open source systems are very secure.
Open source doesn’t guarantee that quality people will be working on the project.
People should not judge the open source world _only_ by its hand full of successes but should also look at what “in total” it is producing. There is a lot of insecure buggy crap out there in the open source world.
If you can’t get quality people working on an open source project then you’ll have junk…what a surprise.
One can take a look around and find open source operating systems and open source applications that are not anywhere near as secure as NT or other Microsoft apps.
Then again you can look at NT or Microsoft apps that are no where as secure as open source Operating Systems or applications.
Nobody here is declaring an absolute. We don’t need flamers, what people are saying is that the idea behind Open Source software generally can make it more secure. The user friendly appeal of Microsoft Apps and OS’s make them more vulnerable to attacks. Since Open Source software leaves source code available (hence: open source) people can find holes in code.
Absolutes never exist, there is always exceptions, now lets keep this conversation to a minimal hostility level.
As I was reading the OfB (OpenforBusiness) Open Choice Awards 2002
http://www.ofb.biz/modules.php?name=News&file=article&sid=146
I went to the awarded OEone website, I noticed that their Homebase environment had moved to version 1.5, I saw that few things had changed on that web and just then I asked myself: wait a moment, WHERE ARE THE $600-700 COMPUTERS THEY USED TO SELL??? They are no more. The only product they sell now is the OEone Homebase environment. Drastic change.
I wonder how are they going to deal with that, being an Internet focused Linux software, how would I connect to my ADSL provider with them?, certainly not with my US-Robotics modem, would the Alcaltel USB modem work with OEone Homebase without kernel patches and further hassles? Yes, I should ask the support staff, but selling the hardware and the software seemed like the best Linux solution nowadays. It didn’t work out.
I haven’t tried OEone Homebase myself but from what I see looks like a very interesting approach, a new fresh GUI designed around Mozilla. They could sell their product a bit better though, blurry little 400×500 screenshots is no way to show a graphical interface, their online demo is not much clearer either (dreadful looking fonts). Do they use the Mozilla XFT patch?
That’s an open project I keep an eye on, a fine demonstration of what seems to be a quality open source product, not a complete solution yet, with some marketing flaws.
“After thinking about it for a few seconds, Linux probably does make it easier for crackers to gain illegal access to certain computers.”
If you read the post, the writer isn’t supporting the “security through obscurity” rationale. He’s saying that those who want to attack or compromise unix-type systems can learn a lot by running similar systems themselves, and Linux makes it feasible for a lot more people to get experience with a “real” computer, as opposed to a Windows desktop.
One could substitute many things for “Linux” in the above sentence and it would be equally true:
“After thinking about it for a few seconds, education probably does make it easier for crackers to gain illegal access to certain computers.”
“After thinking about it for a few seconds, the Internet probably does make it easier for crackers to gain illegal access to certain computers.”
“After thinking about it for a few seconds, electricity probably does make it easier for crackers to gain illegal access to certain computers.”
and so on…
To Romendo:
my point is that terrorism has becommed a buzzword, need any attention then yell terrorism.
best regards
Sortey
I read at ofb.com “they [OEone] are planning to launch a version that installs on top of RedHat Linux 7.1 or 7.2 in soon.”
Isn’t RedHat going to release 8.0 soon? Limbo looks pretty good already. That makes things a bit different, given that OEone’s Homebase can be installed on top of RedHat, now I start to see Homebase as another desktop environment like GNOME or KDE. I’m not completely sure if that’s going to be good or bad for the end user, but I’m sure that if they succeed there are going to be three major Linux desktops: KDE, GNOME, and OEone.
Three major desktops, at first I thought that was an open source paradigm of development diversification. Open source paradigms are eating our brains out, someone should parody thoroughly the cathedral and the bazaar thing. I could go in S. Jobs style saying something like “Open Source is diverse, and anything that’s diverse gets interesting”. Then I realized that it’s just plain competition.
i see no problem with a hybird Linux applications, what is GPLed will stay GPLed, maybe a really really really nice Office suite, that is fast, stable and secure, or a graphics editing application that is top notch, i see no problem with paying a few bucks for them. we allready have Oprah web browser that is not free, i would not mind paying for these applications. but i also want the free stuff to be kept current so those that do not have the money to buy these items can still surf the intneret and check their email with a currently updated web browser & email client…
take a look at the price of Redhat’s top of the line:
Red Hat Linux Advanced Server
V2.1 – Premium Edition
$2499.00
not exactly free is it???
but i can still download the Redhat7.3 ISOs and install a decent desktop free, see Linux is a friend to both the professionals and home user…
You should learn that “free software” has nothing to do with “free of cost”.
Did you know that Richard Stallman himself sold his emacs and gcc programs for a lot of money?
Nobody can stop anybody from providing you with free software free of charge, but nobody can force them either.
I’m sorry if I misunderstood what Bayerwerke wanted to say, but my impressions is that he was advocating:
linux => better computer knowledge => security risk
From what you easily deduce that
less security knowledge == better security
Which is the base of Security Thru Obscurity, and it’s obviously false, as it’s missing that what really matters is the information *you* have, and the better knowledge about security *you* have, the more secure you are, how much somebody else knows means nothing, because there is always going to be somebody that knows…
People seems to forget very easily the backdoor found in IIS some time ago… it had been there for ~3! 3 years your missing knowledge of how your system works have exposed you completely to who knows what…
Closed source is only more secure if you trust MS more than you trust yourself… and in this matter I personally *only* trust myself. Call me paranoid, but everyone knows that the only way to have a minimal security is being as paranoid as possible, and to trust a company with the security track record of MS, you have to be plain insane.
People also seems to forget when MS internal network was compromised, you have no idea what they where able to steal, or who did it, not even MS knows!
And MS have more dangerous things than SRC on their systems, they have the private key to sign software as “MS approved”, anybody that have access to that can pretend to be MS and run whatever software they want on *your* computer, without eve cracking it!
And this remembers me of when Windows-Update was cracked… and who knows how many more things MS haven’t told us about, or they don’t even know about…
In OSS any hole have a much higher probability of being discovered by the people that really need it: the users of the software. MS isn’t really interested in finding security problems in *their* software and letting you know, not good marketing you know… but you can be sure that there is other people that is really interested in finding this holes, because they want to break into *your* computer, and they aren’t going to let you know if they can do it…
My company depends completely of the software we run, without it we can’t do any business, if there is something wrong with it all the company is at risk, that is reason we *only* run open source software, because is the only way to know that who is producing it isn’t hiding anything from us.
To make things clear:
“Linux probably does make it easier for crackers to gain illegal access to certain computers”
should have been
“Linux does make it easier for you to avoid illegal access to your computers”
(by Linux I understand he means OSS…)
Just because you are able to run linux and know a better how things work doesn’t help you anything to crack into my OpenBSD systems, at least not if I’m minimally intelligent. If you are a MSCE you are going to be cracked sooner or latter, doesn’t matter what system you run…
As usual is not the OS, but the sysadmin who makes the system secure, and the problem with Closed Source is that it’s an obstacle in the way of the sysadmin to secure *his* system.
I agree with your statements about “the Internet” and “electricity” helping make your computers more vulnerable, but that is a pointless argument because without them, I can’t use the computers any more, so is like saying that “if you don’t have computers, your computers are more secure”, or “if there where no cars, driving would be safer”, which makes no sense…
I have to disagree with the statement about “education”, *free* education makes your system *more* secure. Closed source is like a world where only a few have access to education…. in that world if you will be in inferiority with te people that has education, and also with the people that can learn by themselves. In a world with *free* education(open source) you aren’t in inferiority, of course you can ignore the education, but then you deserve to be inferior…
IMHO this is resumed in: Open source is equal to a fair playing field where nobody have advantage over your, closed source means that you are in inferiority because anybody can know better about your systems than you know yourself.
The danger is in *your* ignorance, not in others people knowledge.
I hope that after all this rambling I have made my point clearer…
\k
RE: Repeat what you want… By Anonymous
“One can take a look around and find open source operating systems and open source applications that are not anywhere near as secure as NT or other Microsoft apps.”
You can always find something worst, specially in this world filled with incompetent programmers, and incompetent programmers will produce broken code, doesn’t matter if open or closed, *but* if it’s open you will be able to spot it and don’t use it! No body forced you to use Lindows and shit like that… if it’s closed you will have a harder time figuring out how much the system sucks, because of course who produced it isn’t going to let you know.
IMHO people that write closed source code is too ashamed of how bad their code is, not that because you release it means that the code gets any better, but means that you aren’t afraid of being told that your code sucks, which probably means that it actually sucks less, and after all you will work harder to produce good code because you know that people will be able to see it and figure out how good programmers you are or are not.
IMHO: “Good programmers have *no* reason to hide their code away from their customers, they should be happy to show everybody how good they are.”
Any way, you will have a really hard time to find something more insecure than Win9x, open or closed…
I think I agree over all with your post, but how you present it IMHO is misleading and makes it almost FUD… not that people that assume that because something is OSS it should be 100% bug free is much better, but you can be sure that they will get what they deserve and their Mandrake boxes will be rooted pretty soon.
<
ant>
\k
no, tell me all about it…
I just fell off the turnip wagon just this morning…
it all boilds down to M$FT FUD & rhetoric, they will lie cheat & steal and possibly murder to gain market share…
M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric, M$FT rhetoric,
Nice article, as always, from the Economist. Its all about moderation and finding a middle point. A compromise. Perhaps a hybrid approach IS the way to go.
You *cannot* expect a company to make profit out of something that can be obtained for free. Companies must use open-source ‘cores’ and expand them with a nice end user feel. Just like StarOffice/OpenOffice or Mozilla/Netscape or Darwin/Mac OS X. The best example is probably MacOS X, since Netscape is giving its browser for free anyway, and StarOffice is not like a best-selling product.
I think hermetically closed source software is not a very nice thing to rely on, since it puts you in a dependance situation to the company or provider. If you use an Xserve as web server and Apple collapses, you will still have OS updates — just in the low level though. Darwin would still be alive.