[huskerlug] Re: virus, outlook security, and linux applications

>The sense of separating 'applications' from 'operating system'
> is no longer possible due to the level of integration on Microsoft
> Windows.  

Yes, it is getting much worse, and I don't agree with their style of 
integration.  It continues to lead and will lead to more security problems.

> No 'one' could ever write an email client for Linux with all
> of the security vulnerabilities of Outlook on MS.  

That is simply nonsense.  Sure someone could write an e-mail client that tied 
into the kernel.  What for, I have no idea, but it could be done.  It's done 
now with the GUI, or didn't you think that X is tied into the kernel?  What 
do you think DRI is?  Besides that, any application that is given access to 
/dev/kmem pretty much has full rein of your system.  It's also done with Tux 
and khttpd.  Serving static web pages from the kernel isn't the most secure 
idea either.  I constantly hear remarks from the *BSD camps about that Linux 
"feature".

Thankfully an e-mail client that is tied to the kernel hasn't been done, and I 
don't see a need for it.  But, to say "no one could ever" is wrong.

> very nature, Linux has been developed from the ground up, utilizing a
> much better security model than an old VAX VMS rip-off (since you are
> referring only to NT) designed around a single user platform and patched
> to work in a multi user environment.

I know m$ OSes have been hobled together to work in multi-user environments.  
Windoze still isn't a true multi-user system yet, and probably never will be.

> Probably the most common argument of the Microsoft advocate, however,
> this simply is not true.  Granted, Linux has security vulnerabilities

I assure you, I'm not M$ advocate.  You haven't been on this list very long if 
you believe that.  And it is too true that Linux and unix in general hasn't 
been a big target of virus writers.  If it weren't true, we'd be seing a lot 
more of them.  They may not be as easy to make, or as common place, or as 
wide spread, but they would still be found by someone.  Besides, a worm 
doesn't require any sort of user interaction in most cases.  Have you ever 
put a default install of a Red Hat 6.2 machine on the Internet?  I have, and 
it rarely makes it more than 24 hours before being rooted.  Why?  Because 
there are several services that can be exploited by worms and/or script 
kiddies without any user intervention.   This is true for all OSes, 
especially those that are not patched and kept up-to-date.  

> and can be exploited.  But the fact remains that the very foundation to
> which Linux was built on is much more security minded as compared to any
> operating system sold under the name Microsoft.

No argument there.

> The secret behind overall security success with Linux, or any Open
> Source operating system is the fact that it is open source.  Rather than
> one huge company using vintage CP/M and continuing to build on top,
> hiding the code, leaving in all the mistakes of the past and continuing
> to build on top, etc., Linux source code is open and visible, always
> available for review.  Some say for hacker (using the term in the
> mainstream media sense) review, but that is also an invalid argument.
> No one entity controls the overall direction and Linux was not
> commercially driven for profit only.  You have to examine motivation,
> not advertising slogans.

Yes, I know all the typical Open Source is better arguments.  What Linux user 
doesn't?  I generally agree with them too.  There are tools that let 
"crackers" find buffer overflows, integer overflows, and many other poblems 
from a binary copy of a program.  No source needed.  Relying on closed source 
to keep a product secure only works in the short term.  It is simple security 
through obscurity and that never works for very long.  Granted, it will help 
initially, but I would rather have my code open for review to begin with.

> facts supporting either case.  Yet, if you were connected to life
> support would you prefer the system ran a Microsoft operating system or
> a *nix?

Not doubt it wouldn't be m$ os.  I don't think you're getting my point.  I 
wasn't trying to defend m$.  I don't even use their products except at work 
(I'm 100% Linux and *BSD at home except for the XP partition on my Dell 
laptop that I keep around to get hardware support).  You'll also notice that 
there is now "MCSE" or any other m$ cert next to my name.   I was simply 
trying to get the point across that Linux and Unix are not immune to 
worms/viruses.  After all, the first major worm attacked *nix machines and 
took down 10% of the Internet when it was released.


-- 
Steve Bremer
RHCE,CCNA
--
Real Men don't make backups. They upload it via ftp and let the world 
mirror it. -- Linus Torvalds
--
GnuPG Key fingerprint = 7F06 4D73 7963 BE96 5189  953A E285 CB2C BA03 2746
Available on key servers.

  


----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE

Other related posts: