Linux Today: Linux News On Internet Time.

Funky-Penguin: A daft assertion

Aug 16, 2000, 12:35 (4 Talkback[s])

"An article appeared on the Silicon.com website in March in which a "security expert" claimed that Linux was insecure because of the open source nature of the code, a surprising if not astonishing claim. The expert went on to claim that Unix in general was less secure than other operating systems because of its more open nature, which, given the modern history of computing, is curious to say the least. One has to ask, are these experts serious?"

"Unix was designed from the ground up as a networking system with in-built multi-user security, assured by file read and write protection. Any system is only as secure as it is allowed to be by the users and administrators. The basic principle behind any Unix system is that the system administrator or super-user has complete access, but any individual user has access only to the files under his or her immediate control or the files to which group access has been allocated. This would not include system files which are accessible only by the superuser. Therefore, a properly supervised system, with proper backup regimes and sound practices, is relatively secure. An intruder has to have access to the superuser password to seriously damage the system, or to damage the files of any other user, and this is unlikely. Given a password of 8 or more unpredictable character combinations, even the most advanced cracking tools are unlikely to decode the password. Perhaps the expert would argue that though this is true, in the real world people don't behave as they should, and this is why crackers can break into networking systems. In that case, I suggest they employ a responsible "security expert", and deploy the numerous tools available to secure them. No system with any kind of world access is invulnerable. To pretend that Microsoft or other propprietary systems offer greater security is laughable, if only because events have proved otherwise."

"Moreover, the kind of practices that have led to the biggest virus scares on Microsoft systems, centred around macro code, VB and ActiveX, imported by browser and e-mail facilities, are not permissible in a properly modular operating system. This fact, as much as anti-competitive practices, is the primary argument why the browser is not and should not be an integral part of the operating system, and why so much of system security is dedicated to Anti-Virus activities. A multi-billion dollar business exists with little other purpose than to protect Microsoft operating systems from their inherent vulnerabilities, vulnerabilities that would not be possible on a Posix-compliant Unix, namely self-activating modules that can access any part of the operating system. These systems are not open source and users have to wait months for non-specific upgrades and service packs."

Complete Story

Related Stories: