Aussie pollie

[eck]

Are the South Australian Democrats in power or official opposition, or are they a minor party?

Nice to see the occasional politician taking note of the problems inherent in a proprietary software monoculture. Ian Gilfillan comments on Sasser worm.

Comments

PEBCAK

[kelc42]

If we all jumped to various flavours Linux tomorrow I bet there would be a new worm hitting us by Monday (plus the existing linux worms already in the wild). The only worm ever to get on any of my computers was a worm that got onto my Linux box via an SSL exploit (I was just learning Linux and had not patched SSL, my bad). Unless someone creates a completely bulletproof OS (good luck) and everyone runs only bulletproof services/applications (not likely) the most widely used OS/applications will always be the main target. I agree that a single OS dominating the market is a major factor in the speed at which the latest worms have spread, but I doubt there is any near term fix for that problem. The real problem (besides the fact that script kiddies have nothing better to do than write virii and worms) is the lack of good security on so many computers. An up to date anti-virus product will stop any worm or virus infection, as long as you are not unlucky enough to be one of the first few to get it. An up to date and properly configured firewall (hardware or software) will stop most worms, especially if you are not running as a server. Very few (if any) worms can infect an OS with all the current security patches installed, all the worms I can recall of late that have had a big impact had security patches for the exploit weeks if not months before hand. Maybe people should have to take a security test to use a PC on the internet and then have to keep their computers secure for the public good, no different than a drivers license and a properly maintained car.

Don't get me wrong, I am not saying that Windows is perfect, it has it's problems. I run MacOS, Windows and Linux boxes and they all have strengths and weaknesses. My desktop OS of choice is Windows XP (mainly due to software availability), with Mac OS X a close second if gaming is not a consideration. For a server Linux is my first choice.

[eck]

Okay, to get one peeve out of the way: There's no apostrophe in the posessive its!

Right, now on to your main argument.

New worm by Monday if we all jumped to various Linux flavours? I'll take that bet. While Linux is by no means immune to attack by virus or worm, it has never been as vulnerable to these attacks as all MS products to come out continue to be.

SSL is not an operating system feature, and Linux is not a "them" -- so "they" won't be patching SSL for you, that's for sure.

"No near-term fix" to a problem certainly doesn't suggest that fixes shouldn't be promoted. Perhaps all the more.

It's true that MS is a bigger target because of their market monopolies. That does nothing to explain why vulnerabilities continue to be so bad and plentiful, and certainly doesn't help explain why MS behaves as badly as they do in so many ways. Accept that MS has security problems because of its dominant market position? Never! Instead, they throw all the mud they can at other platforms, saying there are as many bugs announced for Linux as for Windows. Never mind that it's only because bugs of much lesser severity are reported for Linux, because they get fixed, unlike some other vendors' bugs!

Stopping "most worms" isn't acceptable for a platform as widespread as Linux (never mind the MS products). The expression that should apply is "essentially all worms are stopped" at the firewall. Yes, it's impractical to block every possible attack. Nice when you can say "no remote vulnerabilities in the default install, ever" about at least the OS running your firewall, though.

"People should have to take a test" or "there should be a law" are demonstrably bad approaches. We'll never control all people (I hope!). We should control our governments.

Pick a fight in my journal, will you? ;-)

[kelc42]

I didn't know I would be marked on my English (its a silly language anyway) here or I would have paid more attention in class. 8^) I understand peeves, mine largely revolve around incorrect use of words, like calling one of those white foam coffee cups a 'Styrofoam' cup.

I understand that SSL is not part of the Linux OS, but like many other extras it is included with many Linux distributions, and my patch source was that Linux distribution's site. My intended point using that real life example was that no OS is immune to virus/worm attacks, even if the OS itself is more secure, especially when the person (foolish me in that case) is running an operating system, software and/or services that are not recently patched. I think there is a lot of misconception that once you install Linux your security troubles are over.

I also wasn't trying to say that MS has security vulnerabilities because of its dominant position, I was trying to say that people spend a lot more time looking for them because of the dominant position and hence more problems are found. Maybe there are more to be found in MS products in the first place, and maybe they are often more serious, but I don't have the expertise or data to say that for sure. I have seen many seemingly well founded claims that MS takes its time fixing reported problems, so no argument there. Also no disagreement here about MS behaving badly in other ways, there are certainly a few recent legal rulings to back that up.

Happily some Linux distributions are probably now at the point where a home or office end user who can handle Windows can adapt and work on a Linux PC. Unfortunately there is currently so much software that only runs on Windows, and as a result most people use Windows, so developers create for Windows, and the cycle continues. Because of this, while I agree that more OS diversity would be great for a variety of reasons, I can't see a quick solution, but creating various releases of Linux that the average user can install and use was a great start. As for server side, no argument at all about not using Windows wherever possible, but in some cases we are stuck a the Windows server to provide some service. In these cases you just have to patch often and keep a good firewall out front.

I wasn't serious about the tests and such, I realize it is not an option. A little user education could certainly go long way toward limiting the impact of virii and worms, but I know from experience that many people won't care until they get caught, and will forget the lesson shortly after one of us technical people has fixed it for them and patching/updating becomes too much of a chore again.

There, I tried to be less confrontational that time... ;)

Re: PEBCAK

[buhrger]

there is a general sense in which open-source stuff is at least known to be more robust from a security point of view. so, while Linux may not fundamentally be more secure, the fact that its code is open to peer review means that it's more likely to be secure.
if you talk to the crypto-geeks, they generally prefer cryptosystems which are documented. secret codes far too often end up being easier to break. same with secret source codes.