| |
Enderle On Linux
By: Dan Morrill
Expert Author
2007-03-13
Linux does not exist except as a concept, we can all move on now.
No I am not bashing Rob, but I did find his paper "The Five Things you Aren't Allowed to Discuss about Linux" to be interesting from the technological view point. Since I use both Windows and Linux boxes on a regular basis, I am fairly familiar with the physical existence of both, and that each Operating System has its own fundamental peculiarities in how they are setup and how they are secured. I already said there is no "Linux," so how can I now treat it like a thing? The easy path here would be to present the different security models for the different distributions but, for this purpose, I'm going to leave Linux in abstract and talk about the unique security problem it represents. I'm not saying Windows is more secure either; I'm saying the products are so different from each other that comparisons may not actually make much sense, which is why there are reports supporting both sides of this. So, let's start by saying nothing is secure enough if people are involved. Source Rob Enderle He is right, nothing is safe as long as a person is involved, and since people are involved in just about everything, then just about nothing is secure. What I think is most interesting about his view point into the security of Linux is: Linux exists in an environment where there is broad collaboration, but no effort to validate the collaborators so the opportunity for traditional, old style, data breach is immeasurable.
We know that pretexting is wide-spread, how much easier (and harder to catch and convict) if the person doing the pretexting doesn't even have to come up with a real fake identity?
If you are using Linux and haven't done a physical security audit in a while and specifically looked at who is collaborating with whom, I would say it is likely well past time. Source Rob Enderle He's right, and here's why.
When we hire someone for a company, it is pretty standard to run a state level criminal background check (there are a couple of companies I know that don't do this, but most do). Some companies even run a federal level back ground check. Want to write code for government, expect to get a clearance. Want to write code for the NSA, you are going to get a polygraph and a background check.
Unless you have a state mandate, view people are going to do a background check on a volunteer. Rob has a point, and it's a pretty good one.
But then any system made by people is inherently going to be flawed in some way. It's through time that those flaws are worked out, and errors reduced. We know not to buy a Microsoft OS until the first Service Pack (popular conceit). We know that the first thing we do with a computer system of either OS is to get the patches the minute we build or turn the thing on. We know that there is AV for both Operating Systems; each has similar exploits like root kits, and other fun chunks of malware.
And yes these are people flaws as much as systemic flaws in that nothing a person does is ever going to be perfect right out of the box.
The rest of the argument on the 5 things you can't say about Linux is interesting to read as well. But from the security side, both operating systems have similar flaws, and have similar solutions to those issues. People do the darndest things, and no Operating System or other software project is going to be 100% secure the first time it is released. We accept those incremental patches, support, Anti Virus, and other technologies to keep our systems clean, because we know they are not secure by default.
Side Note: I know the BSD folks are going to come out of the wood work, so yes, I know the track record of BSD, and it has the best track record of any mainstream X86 OS.
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
|
