See also: last week's Back page page.

Linux links of the week

In a more serious vein, the CounterPane Cryptographic Article Database is the definitive collection of current literature in the cryptographic field. Abstracts are available for the papers, and many (if not most) are available in their entirety. There is much Linux-related material there.

Section Editor: Jon Corbet

Letters to the editor

Date: Thu, 16 Mar 2000 19:51:03 +0000
From: Adam Rice <wysiwyg@glympton.airtime.co.uk>
To: woods@ucar.edu
Cc: letters@lwn.net
Subject: Re: Stallman interview

In a letter to LWN, you wrote:

> You *can* think of free software in those terms, but the reality is
> that only the religious fanatics actually do.
 
*I* think of free software in those terms, and I take great offense at being
referred to as a "religious fanatic". I have come to accept the ethical
argument for free software after many years of using it and listening to the
philosophy of Richard Stallman and others. If you'd spent any time on free
software mailing lists, you'd realise that thousands of people much smarter
than you or I have come to the same conclusion.

Of course, I don't use the ethical arguments at work, but fortunately "it's
free" is remarkably effective by itself.

> I particularly dislike people who imply that there is something evil about
> being paid to develop software or to make a profit from developing
> software.

Please go to http://www.gnu.org and read everything there, particularly the
philosophy section, before spouting your mouth off and showing your
ignorance.

> Not all of us are trust fund babies, some of us have to worry
> about putting food on the table.

I found this particularly offensive. Richard Stallman has sacrificed more
than you can possibly imagine to preserve the freedom and the joy of sharing
software.

You don't have to agree with the free software philosophy to use it. We are
not tyrants. But please, at least do us the courtesy of trying to understand
where we are coming from.

-- 
Adam Rice -- wysiwyg@glympton.airtime.co.uk -- Blackburn, Lancashire, England

Date: Thu, 16 Mar 2000 08:01:28 -0500 (EST)
From: glouis@dynamicro.on.ca
To: letters@lwn.net, woods@ucar.edu
Subject: lwn letter

Hi.
Greg Woods wrote, in this week's lwn:

> Here at work, I would like to introduce Linux into our environment,
> but to do that, I can't argue the open source religion, or my
> managers will look at me like I'm nuts. I will have to present
> practical arguments about capability, reliability and cost savings.  
> *That* is what they will listen to.

Certainly.  I was lucky; late in 1994 I put up a Linux box as the main
gateway when our company first went on the Internet, and I never had to
argue: the capability, reliability and cost saving were all so obvious
as to make argument unnecessary.  Had it been otherwise, the open-source
ideology (it's not a religion per se) would have influenced no-one.

> I particularly dislike people who imply that there is something evil
> about being paid to develop software or to make a profit from
> developing software.

Being paid to develop software is something most of the open-source and
even of the free-software folks hope for; not many of them would buy
into your claim that they call it evil.  Making a profit from developing
software is fine too.  I think what many of those people regard as evil
is taking developed software, charging a high price for it without
providing adequate support, without fixing bugs in reasonable
timeframes, and without otherwise making sure that there is some market
value in it; and by legal restrictions preventing the users from taking
any steps of their own to correct those defects.  I rather sympathize
with that moral stance, though I have for much of my own working life
been paid to develop software, and do not consider myself to be or to
have been evil as a result.

> I would say that if enough value is present in closed source
> software to make it worth the price they are asking, I'll buy it. If
> there isn't, I won't.

Fine if you can tell.  A cautionary tale:  A company for which I work
paid big bucks for ERP software in 1997.  ERP (Enterprise Resource
Planning) is complex; a thorough test is scarcely possible prior to
purchase.  When installed, the software (which had seemed to be suitable
based on demos and on interviews with other user companies) rapidly
proved to be a crock of oats that had already been through the horse.  
Much of its functionality was inaccessible to the users, owing to
software defects that the vendor was "fixing," apparently on a timescale
of years; the VAR wanted us to pay them consulting rates to assist in
debugging.  In due course we wrote that one off, mounted a much more
skeptical, critical and (we thought) thorough evaluation, bought and
installed a second ERP package, and this time we're much happier --
except that we can't run an MRP requirements calculation: it locks up in
an endless loop and generates thousands of bogus job recommendations
till the run is cancelled.  It appears, after many hours of diagnostic
effort on our part, that the product we bought can be run in any
environment other than ours.  MRP runs with an NT server, with a SCO
Unix server, on a standalone Win98 test system -- but it fails on the
high-end operating system for which we bought the ERP software, on which
it was claimed that the software was supported.  I don't think that (at
least on this second occasion) a lack of due diligence contributed
significantly to the dilemma in which we now find ourselves: buggy
software, no prospect of rapid resolution of our showstopper problem,
and no way to take action ourselves to find and correct the software
defect.  Open source would have provided us with that latter option, as
well as with access to other user/developers whose experience and
expertise could have contributed to a solution.

Caveat emptor, you say?  That worked in Roman days, when the commodities
were reasonably inspectable and the playing field was level.  Today's
closed-software emptor -- unless he's a Fortune 500 company -- has no
reasonable way to evaluate the product really thoroughly before buying,
and no reasonable recourse when the purchasing gamble fails.  The only
safe assumption, therefore, is that closed source entails a high risk of
failure that has to be factored into the cost-benefit analysis to which
you allude.

Regards..............
-- 
| G r e g  L o u i s                    | pgp:  keys.pgp.com        |
|   http://www.bgl.nu/~glouis           | id glouis@dynamicro.on.ca |
| "Knowing what thou knowest not is, in |  2BC6 4F5A 6657 FF4E 9FBC |
|   "a sense, omniscience" -- Piet Hein |  5DAA 2304 76A9 CCA6 5B45 |

Date: Fri, 17 Mar 2000 05:08:46 +0000
From: Ruben Leote Mendes <etruben@ua.pt>
To: letters@lwn.net, woods@ucar.edu
Subject: Re: Stallman interview

This is a comment on the letter written by Mr. Greg Woods published in
Linux Weekly News.

In that letter Mr. Woods wrote:
> In a recent online interview, Richard Stallman was quoted as saying:
>
>   "That movement studiously avoids mentioning idealistic concepts such
>   as freedom and community, and as a result most of the
>   newcomers have no idea that you can think of free software in those terms."
>
> You *can* think of free software in those terms, but the reality is
> that only the religious fanatics actually do.

I am very thankful that some "religious fanatics" as you call them put their
time and effort working to make sure that we gain freedom or that we keep
the little freedom that we still have. 
If it weren't for Stallman and the free software movement there would be no
Linux today and we would all be stuck with non-free solutions.

> Sure, if I have a chance to, and should I ever develop something worthy 
> of it, I would want to contribute back to the open source community, but I 
> am in no way *obliged* to do so.

No one is forcing you to do so. What Stallman is requesting is that the
people behind the movement talk about freedom so that newcomers are aware
that freedom is one (in my opinion the main) characteristic of our software.
Then they can think about it and decide if software freedom is important for 
them or not.

> I particularly dislike people who imply that there is something evil about
> being paid to develop software or to make a profit from developing
> software.

Stallman doesn't think that being paid to write software is evil and the
proof is that the Free Software Foundation hires programmers and pays them
to develop software and documentation. That last time I looked they even
had a web page that companies can use to post job openings for free software 
developers.

> Not all of us are trust fund babies, some of us have to worry about putting 
> food on the table.

I think there is enough evidence already that you can make money writing 
free software. I don't think I have to provide any references, just scroll
up and read LWN. 

-- 
Ruben Leote Mendes - etruben@ua.pt

From: Collins_Paul@emc.com
To: letters@lwn.net
Subject: Use of the term "viral" in refernce to the GPL and FDL
Date: Thu, 16 Mar 2000 07:26:33 -0500

The use of the term "viral" with reference to the GPL (and now the FDL) is
unfair and prejudicial.

The GPL is not a virus.  The GPL is written the way it is because otherwise,
others would be able to take away freedoms that you explicitly grant when
you choose to use the GPL.

If you don't like the GPL or the FDL, don't use it.

The choice is yours.

Paul.

-- 
Please note that I speak for no-one but myself.

Date: Fri, 17 Mar 2000 13:09:37 -0500
To: letters@lwn.net
Subject: Virii, Mr. Garfinkel, and users with bad habits
From: Zygo Blaxell <zblaxell@genki.hungrycats.org>


Linux viruses do not need to install themselves as root; simply getting
normal user privileges under Linux is quite enough to be a very successful
and damaging virus.  Remember that Melissa worked without any privileges
except those necessary to run itself, look up email addresses in a
directory, and send email to them.  "Unprivileged" Unix user accounts
have all those privileges and more.

Most unsophisticated (read: non-paranoid) users have the same basic
bad habits that can undermine the security of any operating system.
These users do not understand the requirement for minimal privileges, nor
do they understand the requirement modify their own behavior accordingly.
When I explain the concept of minimal privilege to new users, most of
them agree that it's a good idea in principle, but few will actually
stick to that principle in practice. =20

This is the acid test:  If you were given some amazing new program
without source code or other strictly technical mechanisms for auditing
and controlling the behavior of the program, would you _absolutely_
refuse to use it except in isolation on a stand-alone, non-networked,
dedicated piece of hardware?  If your answer is no, you are a potential
virus host, and probably a DOS threat to the Internet at large to
boot--shame on you!  If your answer is that you would go to the local
used computer vendor and buy a $50 Pentium system with no network card,
just to run the one application in the isolation it deserves, there's
hope for you yet.

Unfortunately, Linux is mostly as vulnerable to virus problems as the
Microsoft operating systems we all love to hate.  Linux is based on a
30-year-old security model which assumes that the user of the system is
the primary security threat, and a threat to other users of the system.
This used to be the case when the ratio of users to applications was
many-to-one.

Today, the ratio of users to applications is one-to-many.  Most machines
have only a single user (or 1.5 users if you count root separately)
and run dozens of different applications by different authors with
different levels of security awareness.  Sadly, the applications
themselves are now usually the greatest security threat, and a thanks to
the Internet they are a threat to other systems as well as other users.

Future operating systems must take this threat into account by
implementing access controls based not only on the user's credentials,
but also those of the application itself.  Java, with all its intrusive
type checking, code verification, and restricted linking features, is
ultimately the right idea, although not the best possible expression
of that idea.  Capabilities flags in the Linux kernel are the same idea
expressed at a different level in the application->library->OS->hardware
heirarchy.  These mechanisms need further development and better
integration by Linux distributors before we will see significant benefit
from them.  Attention marketing types:  Fear of viruses could provide
user-level demand for progress in this area.  Hint.  Hint.  ;-)

Virus detectors will never go away until all software is perfect
on its first release, all hardware never fails, and all users are
trustworthy; however, the virus detection industry as we know it today
will radically change.  We should expect generic virus prevention and
containment features (e.g. automated binary cryptographic signature
checking and much stricter and more fine-grained access controls) to
become part of the operating systems and applications we use; however,
when these systems fail (and they will always fail, sooner or later),
we'll still need some kind of virus detection software to assess the
level of damage and/or assist with cleanup after the root cause of the
problem has been eliminated.

[Insert horrible vision of future versions of Windows bundled with
Microsoft Virus Explorer here...]


Opinions expressed are my own, I don't speak for my employer, and all that.
Encrypted email preferred.  Go ahead, you know you want to.  ;-)
OpenPGP at work: 3528 A66A A62D 7ACE 7258 E561 E665 AA6F 263D 2C3D

Date: 20 Mar 2000 22:25:17 -0000
From: Eric Smith <eric@brouhaha.com>
To: letters@lwn.net
Subject: Clive Longbottom's Linux security claims

On March 20, LWN Daily referenced Silicon.com's finding that "Linux is
not secure", and specifically quoted Clive Longbottom's statement that
"Security needs to be built into the architecture of the operating
system.  This cannot happen if your source code is publicly available."

This statement demonstrates that Mr. Longbottom has no clue whatsoever
as to what makes systems secure.

It is the case that security vulnerabilities in Linux distributions are
found regularly.  The same is true of closed-source operating systems.
Fixes for vulnerabilites are issued regularly for both open-source and
closed-source operating systems.  I've only seen one article comparing
response times from the detection of vulnerabilites to the issuance of
fixes, and it showed that in most cases the fixes for open-source
operating system were available sooner than for closed-source.

The availability of source code does not inherently make an operating
system more secure.  But it does allow the security to be audited by far
more people than will audit a closed-source operating system, and it
allows for far more people to offer fixes for vulnerabilities.

One might expect that with a closed-source operating system, even if
potential vulnerabilites exist, they might be less likely to be found.
However, if you look at Microsoft's track record, it is clear that they
have suffered from *more* detected vulnerabilities than Linux or BSD
variants.

Mr. Longbottom's preference for closed-source operating systems appears
to be based on the concept of "security through obscurity".  Almost all
professional security experts agree that security through obscurity is
not very good security at all.  A proper security system or protocol is
secure even though attackers have intimate knowledge of how the system
works.

I wonder if Mr. Longbottom would make similar claims about Sun's Solaris
operating system, for which source code is also available (although it
is not "free software" or "open-source" as those terms are normally
defined).

The same Silicon.com article quotes Malcolm Beattie of Oxford University
Computer Service as saying that "the open source nature of the OS [...]
is actually its best defence."  Mr. Beattie obviously has a much better
grasp of the nature of system security than Mr. Longbottom.

Sincerely,
Eric Smith