[svlug] FUD: Are Linux Users Sloppy?

Rick Kwan kenobi at coruscant.lightsaber.com
Tue May 2 19:46:51 PDT 2000

First off, I'm not going to pick on the SVLUG officers or volunteers.
I know the drill; I volunteer elsewhere.  Now to the chosen subject...

I don't want to dispute Mr. Paller's comment about Linux users being
less careful; I'll take him at face value.

But the comment bothers me some.  In my mind, you can break down the
system security into at least three areas.  (BTW, I am not a security
specialist.  I'm a UNIX developer from the early '80s.)
    1.  the architecture and design
    2.	implementation
    3.  administrative practice

1.  Linux borrows its architecture from UNIX/POSIX, whose features
have been debated and tested by various friendly and opposing parties
in industrial and academic circles for decades now.  A lot of things
(security-related and otherwise) have already been flushed out
or redesigned.  It may not be flawless, but it has survived some
pretty bizarre personalities.

2.  One can argue that the Linux implementation of UNIX/POSIX is
weak.  But no one can argue that intended behavior is not understood
somewhere in excruciating detail.  Given the rate of modification in
a Linux distribution code base, one can argue that not enough time
is being given to reviewing and testing the code.  That being said,
I believe that Red Hat was reasonably quick on fixing the code.
(Whether their customers pick up the fix is another story.)

3.  Old UNIX administrators or "machine mothers" (as we were once
called) know to look for the obvious stuff, like easy passwords.
In spite of the extremely well-written books available on UNIX
administration (Nemeth, et al, comes to mind; pick your favorite
Nutshell book as well), new administrators may not be taking
advantage of proven practice.  I think Paller's comments fall more
into this catagory than anywhere else.

As one of the veterans (has it been that long already?), the
situation feels weird.  Administrators who don't know what they
are administering.  But as I work in one of the large corporate
networks, I know it's true.  I just keep my patience as they put
things thru practice.

Where I work, the company has administrators who are far more
knowledgeable about current architectures than I are.  And I'm
trusting them to keep their younger charges in line.

But for small to mid-sized companies, I wonder who they are
measuring their practice against.  (The standard is MSCE, right?)
If someone does put in a UNIX/LINUX-based network of machines,
are the administrators or IT department going to put in practices
that larger UNIX-based companies would take for granted?

--Rick Kwan, Lightsaber Computing
  rick.kwan at lightsaber.com

> After the discovery a security weakness in RH6.2, The Industry Standard sums
> up the problem as:
> > But because there hasn't been as much widespread use of Linux to secure
> > sensitive machines, Linux users tend to be somewhat lax about security,
> > says Alan Paller, research director at the System Administration,
> > Networking and Security (SANS) Institute in Bethesda, M.D.
> >     "It's not that the operating system [Linux] is intrinsically weaker,
> > it's that the people who use it are less careful," Paller says. "Nobody
> > closes the holes."
> see http://www.thestandard.com/article/display/1,1151,14491,00.html

More information about the svlug mailing list