[svlug] FUD: Are Linux Users Sloppy?

dfox@belvdere.vip.best.com dfox at belvdere.vip.best.com
Tue May 2 19:04:53 PDT 2000


> 2.  One can argue that the Linux implementation of UNIX/POSIX is
> weak.  But no one can argue that intended behavior is not understood

But compared to what? It (i.e., Redhat 6.2 specifically) might have a
security hole, but if so, it'll be fixed, and it'll be fixed *far*
sooner than a similar hole in a commercial system. Obviously, if we
are comparing to NT, it is a moot point because NT likely can't do
much of this stuff in the first place (e.g, if there were a 
security hole in something like rlogin, linux/unix would be blamed and
NT people would say "we're so much more secure" because NT can't do
it...)

It's been pointed out, quite rightly, that RedHat turns on way too
many services by default. If you install the Server component (or
do a full install) you've no doubt noticed all the stuff that gets
started in /etc/rc.d. Again, NT 'Server' (and I use that term
loosely) by comparison doesn't, so it's more secure? Not anly that,
in some (not all) cases, the person going to Linux may be new to
computers, or at the very least not experienced in the idea of using
their system much beyond a level of a 'home' workstation, which means,
for all intents and purposes, single user, single machine, and maybe
even single task. And doing so without any real knowledge of the potential,
or the possibilities, that a real OS engenders. 

> 3.  Old UNIX administrators or "machine mothers" (as we were once
> called) know to look for the obvious stuff, like easy passwords.
> In spite of the extremely well-written books available on UNIX

But the average user doesn't. Up until Windows 95, the very idea of
a password was something completely foreign. Even NT only distinguishes
between administrator and user (although it has access levels). Never-
theless, most don't know about something as simple as good passwording.
I know of several instances where people's passwords were simply 
things like their middle name or their mothers' or their dogs'
names.

To put it in a (limited) perspective, in 1993 I had a little box on
my desk that had not only multiuser capabilities, but even had 
password aging (shadow-password, on the early SLS-based system)
capabilities. And the other system I was using that had similar
capabilities was an AS/400. And the people there likely used bad
passwords too :).


> --Rick Kwan, Lightsaber Computing
>   rick.kwan at lightsaber.com
------------------------------------------------------------------------
David E. Fox                     Census         Thanks for letting me
dfox at belvdere.vip.best.com        2000          change magnetic patterns
Be Counted: http://www.census.gov               on your hard disk.
-----------------------------------------------------------------------





More information about the svlug mailing list