first off, i am a total linux lover, user, and advocate. but i am also a software developer and i am frankly embarassed at the apparent quality of our industry. though it is not my "fault" that software breaks so often, i am ashamed of the reality that software and computers are tools whose usage is fraught with failure for so many reasons; not the least of which is bugs, but which also include nonintuitive UI, horrendous documentation, and poor adherence to standards leading to poor interoperability.
if my sledgehammer was ever as fucked up as my computer gets sometimes, i'd have thrown it away a long time ago. i'm all about function, and software is NOT sufficiently functional for many people. my system works well enough to satisfy my needs, but it sure wouldn't if i didn't happen to know how to solve problems quickly, and how to search for solutions i couldn't hope to come up with on my own. these are not skills that everyone is born with... On Thu, Feb 10, 2005 at 11:24:49AM -0600, William L. Jarrold wrote: > When I see announcements like the below, I get really angry and I think > (to myself) stuff like... frankly, this is one of the less inflammatory announcements i've seen about such events. you're perhaps lucky to have missed the era of Larry Liebrock (not sure i spelled that right), who was an intel lackie who played CTO or something similar for the business school for a number of years. his mantra was "windows is more secure because the naughty guys don't have access to its source code!" and he was doing a pretty excellent job of spreading anti-linux sentiment at a high level across campus. fortunately the campus unix community does (in my biased opinion =)) a pretty good job and i don't think anything ever came down from ITS on the topic, but i sure got an earful from my department director. > (1) the security problem is that people use windows. i think it's more complicated than that. counting CERT advisories, you'll find a lot of windows problems, it's true. however reading bugtraq (probably the most popular computer security mailing list), you'll find that a vast majority of the reports of insecurity (usually flawed in such a way as to be exploitable by remote or non-administrative users) are not about microsoft's software. frankly most of the posts aren't about operating systems at all--they're about third party applications, from big hitters like mozilla all the way down to ben's first CGI script. we're talking numbers in the 70-80% region by my estimation, of non-OS bug reports. it's true that a lot of these applications have a tiny userbase. but others (DB2/oracle/mysql, norton's antivirus stuff, and mozilla) are surely widely deployed, and what's more, by people who have no concept that their software is anything but finished and not in need of any sort of vigilance, let alone maintenance. > (2) If everyone switched to unix/linux systems would be 99% (90%???, > 99.9%???) more secure. only if they maintained their systems actively. using openbsd maybe you can get away with sticking a machine in a closet and forgetting about it. using redhat, you surely cannot. network services running by default are found to have security holes; web browsers running locally are found to be subvertible. > (3) Windows has serious misfeatures and bugs related to security. no argument there; i think you could probably find a lot of supporting material out there on the net. one of my favorites is this article: http://www.theregister.co.uk/security/security_report_windows_vs_linux/ > (4) e.g. one such misfeature is that Winblows thinks that every file is a > program to be executed. unix/linux, by contrast, implements the > distinction between executable and non-executable files. again, to be fair, while windows is particularly bad at this, unix isn't perfect. say you download a graphic file of the png persuasion. per many recent posts to bugtraq, the specification for png files left the possibility of bogus images that caused windows' image viewer (used in MSN, IE, etc) to execute arbitrary code when displaying them. but wait! the exact same problem manifested on linux. (reference: http://www.securityfocus.com/archive/1/370853 ) in neither of these cases is it an issue of the file being "executable" but that when the proper viewer goes to handle them, compromise happens without further intervention. sure, there are a lot more "i tried to open this picture someone emailed me and ended up with a trojan horse installed" stories to be found on windows, but they are not unheard of on linux, and will in my opinion even become more frequent on linux with the acceptance of windowing systems like kde and gnome which do things like start a viewer program when you doubleclick a graphics file's icon. and dumb users everywhere can be conned into running something that they shouldn't; that people put more effort into having windows users do that seems to me to be partly a function of the fact that you get a lot more bang for your buck in terms of potential audience--the percentages of users, particularly ignorant users, is still extremely MS-heavy. > ...I don't yell (or at least, try not to (-;) this to all my friends bc my > understanding of these issues is primitive and quite likely wrong. Thus, > trumpeted my views would risk being accused of "crying wolf." At the risk > of starting a flame war I would love to hear people improve upon the > above assertions. well, i also don't yell this at my friends because i enjoy not upsetting people. but there is another reason: most people use their computers as tools, even if just as entertainment tools. and linux is a great tool...for people who are willing to put some effort into maintenance, and also into getting their work done via alternative methods. it is NOT (yet!) a great tool for people who want things as simple as possible, who want to turn a computer on and NEVER do any maintenance on it. with the advent of winXP service pack 2, it's actually annoying to turn off automatic updates and not have a virus scanner installed. the damn thing moans at you every time you boot up and taunts you to turn them on/install one. this is no excuse for the underlying bad code, but it makes life as good as possible with 0 effort for people like my grandmother, who's never administered a computer but just got one to send email and find recipes online. > To the extent that some approximation of assertions 1 thru 4 are true, > at least one person from this list should go to this meeting and as > calmly as possible state/ask during the Q/A somethign to the effect of > "just get rid of windows, adopt unix/linux and 99% of your problems will > go away." i think this statement is unreasonable. i think linux has a long way to go before it will be suitable for the majority of computer users to use without handholding from someone like the people on this list, and so, i think it is disingenuous to suggest that it is a solution, since it will cause a lot of problems in the short term. my grandmother running any mainstream linux distribution out there today will be not only less secure (than she would be with something where automatic updates happen and the computer reminds her to turn her antivirus stuff on), but less able to help herself, or get help from her friends, when she has a problem. and furthermore, i think that making statements like this without qualifying them with pages of text as i have here is not likely to produce any kind of useful discourse. a statement like "if all security vendors provided fixes in as timely a fashion as the linux kernel developers, the overall problem would be much reduced" is more reasonable while still poking fun at the problem child. IMNSHO, anyway. to return to the topic of the announcement of the "security seminar", fred chang is at least levelheaded and has real-world experience in running a heterogeneous operation, in my humble opinion. while i technically work with him (in the same department), i have had no contact with him aside from reading his bio and attending the talk that introduced him to the department; i'm not standing up for a buddy or anything. i don't think he's bruce schneier, but i also think he's pretty bright and informed and most importantly fairly non-biased. i truly think he regards windows end users as more of a problem than competent linux admins, but i also think he's a realist and into addressing today's problems as well as tomorrow's design issues. _______________________________________________ Siglinux mailing list [email protected] http://www.utacm.org:81/mailman/listinfo/siglinux
