On Wed, Nov 26, 2003 at 12:07:05AM -0800, Tom wrote: > > Paul Johnson wrote:
> > >Non-issue if you don't use Windows.
As things stand right now, this is essentially true. There is the
occasional virus for Linux out there, but they are _exceedingly_ rare.
This may change. If it does, then virus-scanning will become an issue.
> This is totally piling on, but given this recent security compromise, I
> think the whole Linux community needs to reevaluate its "can't happen
> here" mentality.
I've gotta say that md5-encrypted shadow passwords, chkrootkit,
integrit, SYN cookies, iptables, etc. don't really look like the
products of a "can't happen here" mentality.
If you try actually reading any of the (frequent) security-oriented
discussions that go by on this list, I think you'll be forced to
re-evaluate this idea of yours.
> It's only going to get worse as Linux gets more popular.
For somebody who's so quick to quote the formal names of logical
fallacies at others, you show an almost embarrassing lack of rigorous
thinking.
Post hoc ergo propter hoc:
Since popularity preceded widespread exploitation for Windows,
popularity causes widespread exploitation.
Yes, popularity is likely to provide some motive for the virus-writers.
However, you might want to consider that motive is not the only factor.
Smarter memory management, sane user/root privileges, an _extremely_
aggressive debug cycle... There are substantive factors that make it
quite a bit harder to crack/trojan/'sploit/0wnz your average Linux box.
No, it's not impossible, and no, we shouldn't quit paying attention to
security. But your doomsday predictions, implying that as soon as Linux
becomes "more popular" it'll be as exploitable as Windows, just don't
make sense.
> I think all Linux devs, from Linus on down, need to stop and think very
> seriously about what can be done to preemptively mitigate the inevitable
> embarressments which are sure to come (soon).
As Paul has mentioned, they do. Security is a huge part of the
development cycle. Why do you think kernels go through so many "test"
versions before they get called "stable"?
I'd be interested to know on what particular factors you base your
conclusions of "inevitable" and "soon".
Cheers!
--
,-------------------------------------------------------------------------.
> -ScruLoose- | Why can't we ever attempt to solve a problem <
> Please | in this country without having a 'War' on it? <
> do not Cc me. | - Rich Thomson, talk.politics.misc <
`-------------------------------------------------------------------------'
pgp00000.pgp
Description: PGP signature
