Sections: Main page Security Kernel Distributions Development Commerce Linux in the news Announcements Back page All in one big page See also: last week's Back page page. |
Linux links of the weekHere's your chance to check out Microsoft Rat Head Linux 6.2 on www.microsoft.eu.org. "Due to the horrible licensing in Linux, we have to make the source of some of our extensions to the Linux operating system, such as the bluescreen module, available to all our customers, and permit them to re-use it. Like GNU, though, we demand that you call any redistribution of Linux containing our modifications Microsoft/Linux or Microsoft/GNU/Linux instead of just Linux." (Found on Portalux News). In a more serious vein, the CounterPane Cryptographic Article Database is the definitive collection of current literature in the cryptographic field. Abstracts are available for the papers, and many (if not most) are available in their entirety. There is much Linux-related material there. Section Editor: Jon Corbet |
March 23, 2000 |
|
Letters to the editorLetters to the editor should be sent to letters@lwn.net. Preference will be given to letters which are short, to the point, and well written. If you want your email address "anti-spammed" in some way please be sure to let us know. We do not have a policy against anonymous letters, but we will be reluctant to include them. | |
Date: Thu, 16 Mar 2000 19:51:03 +0000 From: Adam Rice <wysiwyg@glympton.airtime.co.uk> To: woods@ucar.edu Cc: letters@lwn.net Subject: Re: Stallman interview In a letter to LWN, you wrote: > You *can* think of free software in those terms, but the reality is > that only the religious fanatics actually do. *I* think of free software in those terms, and I take great offense at being referred to as a "religious fanatic". I have come to accept the ethical argument for free software after many years of using it and listening to the philosophy of Richard Stallman and others. If you'd spent any time on free software mailing lists, you'd realise that thousands of people much smarter than you or I have come to the same conclusion. Of course, I don't use the ethical arguments at work, but fortunately "it's free" is remarkably effective by itself. > I particularly dislike people who imply that there is something evil about > being paid to develop software or to make a profit from developing > software. Please go to http://www.gnu.org and read everything there, particularly the philosophy section, before spouting your mouth off and showing your ignorance. > Not all of us are trust fund babies, some of us have to worry > about putting food on the table. I found this particularly offensive. Richard Stallman has sacrificed more than you can possibly imagine to preserve the freedom and the joy of sharing software. You don't have to agree with the free software philosophy to use it. We are not tyrants. But please, at least do us the courtesy of trying to understand where we are coming from. -- Adam Rice -- wysiwyg@glympton.airtime.co.uk -- Blackburn, Lancashire, England | ||
Date: Thu, 16 Mar 2000 08:01:28 -0500 (EST) From: glouis@dynamicro.on.ca To: letters@lwn.net, woods@ucar.edu Subject: lwn letter Hi. Greg Woods wrote, in this week's lwn: > Here at work, I would like to introduce Linux into our environment, > but to do that, I can't argue the open source religion, or my > managers will look at me like I'm nuts. I will have to present > practical arguments about capability, reliability and cost savings. > *That* is what they will listen to. Certainly. I was lucky; late in 1994 I put up a Linux box as the main gateway when our company first went on the Internet, and I never had to argue: the capability, reliability and cost saving were all so obvious as to make argument unnecessary. Had it been otherwise, the open-source ideology (it's not a religion per se) would have influenced no-one. > I particularly dislike people who imply that there is something evil > about being paid to develop software or to make a profit from > developing software. Being paid to develop software is something most of the open-source and even of the free-software folks hope for; not many of them would buy into your claim that they call it evil. Making a profit from developing software is fine too. I think what many of those people regard as evil is taking developed software, charging a high price for it without providing adequate support, without fixing bugs in reasonable timeframes, and without otherwise making sure that there is some market value in it; and by legal restrictions preventing the users from taking any steps of their own to correct those defects. I rather sympathize with that moral stance, though I have for much of my own working life been paid to develop software, and do not consider myself to be or to have been evil as a result. > I would say that if enough value is present in closed source > software to make it worth the price they are asking, I'll buy it. If > there isn't, I won't. Fine if you can tell. A cautionary tale: A company for which I work paid big bucks for ERP software in 1997. ERP (Enterprise Resource Planning) is complex; a thorough test is scarcely possible prior to purchase. When installed, the software (which had seemed to be suitable based on demos and on interviews with other user companies) rapidly proved to be a crock of oats that had already been through the horse. Much of its functionality was inaccessible to the users, owing to software defects that the vendor was "fixing," apparently on a timescale of years; the VAR wanted us to pay them consulting rates to assist in debugging. In due course we wrote that one off, mounted a much more skeptical, critical and (we thought) thorough evaluation, bought and installed a second ERP package, and this time we're much happier -- except that we can't run an MRP requirements calculation: it locks up in an endless loop and generates thousands of bogus job recommendations till the run is cancelled. It appears, after many hours of diagnostic effort on our part, that the product we bought can be run in any environment other than ours. MRP runs with an NT server, with a SCO Unix server, on a standalone Win98 test system -- but it fails on the high-end operating system for which we bought the ERP software, on which it was claimed that the software was supported. I don't think that (at least on this second occasion) a lack of due diligence contributed significantly to the dilemma in which we now find ourselves: buggy software, no prospect of rapid resolution of our showstopper problem, and no way to take action ourselves to find and correct the software defect. Open source would have provided us with that latter option, as well as with access to other user/developers whose experience and expertise could have contributed to a solution. Caveat emptor, you say? That worked in Roman days, when the commodities were reasonably inspectable and the playing field was level. Today's closed-software emptor -- unless he's a Fortune 500 company -- has no reasonable way to evaluate the product really thoroughly before buying, and no reasonable recourse when the purchasing gamble fails. The only safe assumption, therefore, is that closed source entails a high risk of failure that has to be factored into the cost-benefit analysis to which you allude. Regards.............. -- | G r e g L o u i s | pgp: keys.pgp.com | | http://www.bgl.nu/~glouis | id glouis@dynamicro.on.ca | | "Knowing what thou knowest not is, in | 2BC6 4F5A 6657 FF4E 9FBC | | "a sense, omniscience" -- Piet Hein | 5DAA 2304 76A9 CCA6 5B45 | | ||
Date: Fri, 17 Mar 2000 05:08:46 +0000 From: Ruben Leote Mendes <etruben@ua.pt> To: letters@lwn.net, woods@ucar.edu Subject: Re: Stallman interview This is a comment on the letter written by Mr. Greg Woods published in Linux Weekly News. In that letter Mr. Woods wrote: > In a recent online interview, Richard Stallman was quoted as saying: > > "That movement studiously avoids mentioning idealistic concepts such > as freedom and community, and as a result most of the > newcomers have no idea that you can think of free software in those terms." > > You *can* think of free software in those terms, but the reality is > that only the religious fanatics actually do. I am very thankful that some "religious fanatics" as you call them put their time and effort working to make sure that we gain freedom or that we keep the little freedom that we still have. If it weren't for Stallman and the free software movement there would be no Linux today and we would all be stuck with non-free solutions. > Sure, if I have a chance to, and should I ever develop something worthy > of it, I would want to contribute back to the open source community, but I > am in no way *obliged* to do so. No one is forcing you to do so. What Stallman is requesting is that the people behind the movement talk about freedom so that newcomers are aware that freedom is one (in my opinion the main) characteristic of our software. Then they can think about it and decide if software freedom is important for them or not. > I particularly dislike people who imply that there is something evil about > being paid to develop software or to make a profit from developing > software. Stallman doesn't think that being paid to write software is evil and the proof is that the Free Software Foundation hires programmers and pays them to develop software and documentation. That last time I looked they even had a web page that companies can use to post job openings for free software developers. > Not all of us are trust fund babies, some of us have to worry about putting > food on the table. I think there is enough evidence already that you can make money writing free software. I don't think I have to provide any references, just scroll up and read LWN. -- Ruben Leote Mendes - etruben@ua.pt | ||
From: Collins_Paul@emc.com To: letters@lwn.net Subject: Use of the term "viral" in refernce to the GPL and FDL Date: Thu, 16 Mar 2000 07:26:33 -0500 The use of the term "viral" with reference to the GPL (and now the FDL) is unfair and prejudicial. The GPL is not a virus. The GPL is written the way it is because otherwise, others would be able to take away freedoms that you explicitly grant when you choose to use the GPL. If you don't like the GPL or the FDL, don't use it. The choice is yours. Paul. -- Please note that I speak for no-one but myself. | ||
Date: Fri, 17 Mar 2000 13:09:37 -0500 To: letters@lwn.net Subject: Virii, Mr. Garfinkel, and users with bad habits From: Zygo Blaxell <zblaxell@genki.hungrycats.org> Linux viruses do not need to install themselves as root; simply getting normal user privileges under Linux is quite enough to be a very successful and damaging virus. Remember that Melissa worked without any privileges except those necessary to run itself, look up email addresses in a directory, and send email to them. "Unprivileged" Unix user accounts have all those privileges and more. Most unsophisticated (read: non-paranoid) users have the same basic bad habits that can undermine the security of any operating system. These users do not understand the requirement for minimal privileges, nor do they understand the requirement modify their own behavior accordingly. When I explain the concept of minimal privilege to new users, most of them agree that it's a good idea in principle, but few will actually stick to that principle in practice. =20 This is the acid test: If you were given some amazing new program without source code or other strictly technical mechanisms for auditing and controlling the behavior of the program, would you _absolutely_ refuse to use it except in isolation on a stand-alone, non-networked, dedicated piece of hardware? If your answer is no, you are a potential virus host, and probably a DOS threat to the Internet at large to boot--shame on you! If your answer is that you would go to the local used computer vendor and buy a $50 Pentium system with no network card, just to run the one application in the isolation it deserves, there's hope for you yet. Unfortunately, Linux is mostly as vulnerable to virus problems as the Microsoft operating systems we all love to hate. Linux is based on a 30-year-old security model which assumes that the user of the system is the primary security threat, and a threat to other users of the system. This used to be the case when the ratio of users to applications was many-to-one. Today, the ratio of users to applications is one-to-many. Most machines have only a single user (or 1.5 users if you count root separately) and run dozens of different applications by different authors with different levels of security awareness. Sadly, the applications themselves are now usually the greatest security threat, and a thanks to the Internet they are a threat to other systems as well as other users. Future operating systems must take this threat into account by implementing access controls based not only on the user's credentials, but also those of the application itself. Java, with all its intrusive type checking, code verification, and restricted linking features, is ultimately the right idea, although not the best possible expression of that idea. Capabilities flags in the Linux kernel are the same idea expressed at a different level in the application->library->OS->hardware heirarchy. These mechanisms need further development and better integration by Linux distributors before we will see significant benefit from them. Attention marketing types: Fear of viruses could provide user-level demand for progress in this area. Hint. Hint. ;-) Virus detectors will never go away until all software is perfect on its first release, all hardware never fails, and all users are trustworthy; however, the virus detection industry as we know it today will radically change. We should expect generic virus prevention and containment features (e.g. automated binary cryptographic signature checking and much stricter and more fine-grained access controls) to become part of the operating systems and applications we use; however, when these systems fail (and they will always fail, sooner or later), we'll still need some kind of virus detection software to assess the level of damage and/or assist with cleanup after the root cause of the problem has been eliminated. [Insert horrible vision of future versions of Windows bundled with Microsoft Virus Explorer here...] Opinions expressed are my own, I don't speak for my employer, and all that. Encrypted email preferred. Go ahead, you know you want to. ;-) OpenPGP at work: 3528 A66A A62D 7ACE 7258 E561 E665 AA6F 263D 2C3D | ||
Date: 20 Mar 2000 22:25:17 -0000 From: Eric Smith <eric@brouhaha.com> To: letters@lwn.net Subject: Clive Longbottom's Linux security claims On March 20, LWN Daily referenced Silicon.com's finding that "Linux is not secure", and specifically quoted Clive Longbottom's statement that "Security needs to be built into the architecture of the operating system. This cannot happen if your source code is publicly available." This statement demonstrates that Mr. Longbottom has no clue whatsoever as to what makes systems secure. It is the case that security vulnerabilities in Linux distributions are found regularly. The same is true of closed-source operating systems. Fixes for vulnerabilites are issued regularly for both open-source and closed-source operating systems. I've only seen one article comparing response times from the detection of vulnerabilites to the issuance of fixes, and it showed that in most cases the fixes for open-source operating system were available sooner than for closed-source. The availability of source code does not inherently make an operating system more secure. But it does allow the security to be audited by far more people than will audit a closed-source operating system, and it allows for far more people to offer fixes for vulnerabilities. One might expect that with a closed-source operating system, even if potential vulnerabilites exist, they might be less likely to be found. However, if you look at Microsoft's track record, it is clear that they have suffered from *more* detected vulnerabilities than Linux or BSD variants. Mr. Longbottom's preference for closed-source operating systems appears to be based on the concept of "security through obscurity". Almost all professional security experts agree that security through obscurity is not very good security at all. A proper security system or protocol is secure even though attackers have intimate knowledge of how the system works. I wonder if Mr. Longbottom would make similar claims about Sun's Solaris operating system, for which source code is also available (although it is not "free software" or "open-source" as those terms are normally defined). The same Silicon.com article quotes Malcolm Beattie of Oxford University Computer Service as saying that "the open source nature of the OS [...] is actually its best defence." Mr. Beattie obviously has a much better grasp of the nature of system security than Mr. Longbottom. Sincerely, Eric Smith | ||
|