[svlug] FUD: Are Linux Users Sloppy?

Rick Kwan kenobi at coruscant.lightsaber.com
Wed May 3 02:49:00 PDT 2000


I suspect we are more in agreement that may initially appear.

dfox at belvdere.vip.best.com wrote (in response to me):

> > 2.  One can argue that the Linux implementation of UNIX/POSIX is
> > weak.  But no one can argue that intended behavior is not understood
> 
> But compared to what? It (i.e., Redhat 6.2 specifically) might have a
> security hole, but if so, it'll be fixed, and it'll be fixed *far*
> sooner than a similar hole in a commercial system. Obviously, if we
> are comparing to NT, it is a moot point because NT likely can't do
> much of this stuff in the first place (e.g, if there were a 
> security hole in something like rlogin, linux/unix would be blamed and
> NT people would say "we're so much more secure" because NT can't do
> it...)

Compared to what?  To the written specifications of either IEEE
1003.x or UNIX(TM) as specified by The Open Group and other proven
implementations.  My point is that Linux has a reference point.
It may occasionally miss the mark.  But by having the reference
point which has been peer-reviewed for years, it can be quickly
rectified.  No such external architectural benchmark exists for
NT. (...unless you want to say NT is intended to emulate VMS.
But WIN32 carries way too much baggage with it.  I can't imagine
VMS die-hards accepting WIN32 as their native programming interface!)

I will agree that the most secure system is one that does nothing.
(Useless too. :-)  The side effect is that many NT users will
constantly login as "Administrator" because being a normal user is
too limiting.  The sad part is when these people become UNIX users
and typically login as "root" because they have been brainwashed
by practice to think that is the normal thing to do.

> It's been pointed out, quite rightly, that RedHat turns on way too
> many services by default. If you install the Server component (or
> do a full install) you've no doubt noticed all the stuff that gets
> started in /etc/rc.d. Again, NT 'Server' (and I use that term
> loosely) by comparison doesn't, so it's more secure? Not anly that,
> in some (not all) cases, the person going to Linux may be new to
> computers, or at the very least not experienced in the idea of using
> their system much beyond a level of a 'home' workstation, which means,
> for all intents and purposes, single user, single machine, and maybe
> even single task. And doing so without any real knowledge of the potential,
> or the possibilities, that a real OS engenders. 

I've heard that complaint of RH and will accept that it is true.
(I seem to always do custom installs, so much of this has escaped me.)

I can see how people might think NT is secure... at the cost of being
extremely cumbersome and error-prone.  I've seen security features
built into the parameter lists of many WIN32 APIs.  The things
were so complicated, they reminded me of programming large control
blocks for an IBM mainframe.  Knowing the right way to use them was
a nightmare.  In fact, I seriously suspect that most NT developers
don't program at that level, and that Microsoft doesn't want them
there either.  (They offer more seductive higher-level APIs as
almost point solutions.)

> > 3.  Old UNIX administrators or "machine mothers" (as we were once
> > called) know to look for the obvious stuff, like easy passwords.
> > In spite of the extremely well-written books available on UNIX
> But the average user doesn't. Up until Windows 95, the very idea of
> a password was something completely foreign. Even NT only distinguishes
> between administrator and user (although it has access levels). Never-
> theless, most don't know about something as simple as good passwording.
> I know of several instances where people's passwords were simply
> things like their middle name or their mothers' or their dogs'
> names.

Within an organization, in my thinking, the system administrator
needs to promote good practice, like good passwording.  That people
use passwords at all is a step in the right direction.  My bigger
concern is that there are probably a lot of UNIX/Linux administrators
now who don't know good practice, and are therefore the weak link
in system security, backup, and a lot of other areas.

(Then again, I believe that system admin people should knowledgeable
enough to do tech support as well.  But I realize that probably is
not what most IT shops are doing.)

I suspect we are growing a crop of Linux users with little to no sys
admin exposure.  As Windows users, they never cared about it before;
so of course they are not going to care about it now.  (Easy is the
dark side.  Seductive it is.  But to destruction will it lead you.)

<going a bit off topic>

<protection suit="asbestos">
Perhaps as an adjunct to the Installfests, SVLUG should have a set of
organized methodical sessions that run thru system admin activities.
</protection>
Perhaps if it follows one of the books at Computer Literacy, they
will appreciate it because it will sell their books.

> > --Rick Kwan, Lightsaber Computing
> >   rick.kwan at lightsaber.com
> ------------------------------------------------------------------------
> David E. Fox                     Census         Thanks for letting me
> dfox at belvdere.vip.best.com        2000          change magnetic patterns
> Be Counted: http://www.census.gov               on your hard disk.
> ------------------------------------------------------------------------

--Rick Kwan, Lightsaber Computing
  rick.kwan at lightsaber.com





More information about the svlug mailing list