Alan Cox, one of the most respected figures in the UK open source community, has warned of complacency over the security of open source projects. Speaking to delegates at London’s LinuxWorld conference on Wednesday, he emphasised that considerable sums of money were being spent to try and hack into open source systems. And he cautioned that many open source projects were far from secure. “Things appear in the media like open source software is more secure, more reliable and there are less bugs. Those are very dangerous statements,” Cox said. My take: Agree wholeheartedly. Security complacency, often seen in OSAlert’ comments sections, is very, very dangerous.
Not “my take” again. We all know what a ****storm it caused last time.
Nice to see some honesty in the computing business for once.
Alan Cox … Security …
http://www.engadget.com/2006/09/22/another-thinkpad-battery-explode…
http://zeniv.linux.org.uk/~telsa/boom/
Do as I say not as I do.
What’s next listening to Linus Torvalds about License making …
There is a reason why its called GNU/Linux , because Linux with LT license failed.
” And he cautioned that many open source projects were far from secure. ”
I wonder whose job it is to exactly name them and explain how he think they might be more secure … Oh yes that’s Alan Cox jobs.
“Open source software is more secure, more reliable and there are less bugs.”
Its a fact , it dont mean its unbreakable , just that its better at security. As something to do with being able to look at the code for security analysis.
The best way for full security is if you have full access to source code for full independant multiple security review , OH WAIT , no !! according to him and is ilk its OK that TIVO closed running access with hardware and dont say how they do it.
What’s next Mr. Cox , we should all switch to BSD and windows because your incompetant in security , and wait for you to say its now entirely secure.
Kernel developper should stick to devlopping the kernel …
Do as I say not as I do.
You’re equating Cox’s battery exploding with open source security? Thanks for that startling insight.
What’s next listening to Linus Torvalds about License making …There is a reason why its called GNU/Linux , because Linux with LT license failed.
Nothing like erecting a strawman and knocking it down.
I wonder whose job it is to exactly name them and explain how he think they might be more secure … Oh yes that’s Alan Cox jobs.
He’s right. That trumps any questions regarding his authority.
Its a fact , it dont mean its unbreakable , just that its better at security. As something to do with being able to look at the code for security analysis.
You’re dreaming. http://news.com.com/2100-1009-5063683.html
The best way for full security is if you have full access to source code for full independant multiple security review , OH WAIT , no !! according to him and is ilk its OK that TIVO closed running access with hardware and dont say how they do it.
Irrelevant. Do try to stay on topic.
What’s next Mr. Cox , we should all switch to BSD and windows because your incompetant in security , and wait for you to say its now entirely secure.
Wow, personal attacks. Do yourself a favor and go see a shrink. Your self-esteem is apparently as withered as the Grinch’s heart.
Kernel developper should stick to devlopping the kernel …
Rrrrrrright — and Einstein should have stayed a patent clerk, right?
It would be nice if the replies to the senseless troll were also modded down…
Why do you whant to be modded down ?
<quote>Why do you whant to be modded down ?</quote>
It’s next to impossible to get any useful information from responses without knowing what most people are responding to. People cherry pick comments and sometimes post them in their respose, but you don’t get a good idea of the original context the quote was used.
You will excuse me , will I just decide to disagree with your entire comment and pass on responding to it.
You will excuse me , will I just decide to disagree with your entire comment
You will excuse us if we say, “Well, what a surprise”.
and pass on responding to it.
Erm, except you didn’t.
“You will excuse us if we say, “Well, what a surprise”. ”
I am sure >you< wanted *me* to reply in details , point by point …
“Erm, except you didn’t.”
http://www.google.com/search?hl=en&lr=&safe=off&defl=en&q=define:Re…
I did reply , I did not Respond to it.
Why would Alan Cox not be qualified to talk about the relative security of the Linux kernel? He’s one of Linus’s right-hand men, and generally involved in the OSS world.
Anyway, I think you missed the subtle difference between Alan Cox saying that Linux is insecure, and Alan Cox saying Linux is dangerously insecure.
I’m fairly sure he meant the former, to counter all the opinions of people who think that Linux never has bugs and is unhackable- which we both know isn’t true.
Dont take my comments too seriously. I just know how this will be spinned to death by some. Some people dont know the real weight of there comments. Mr Cox is one of them.
Dont take my comments too seriously.
Don’t mind if I don’t!
What’s next Mr. Cox , we should all switch to BSD and windows because your incompetant in security , and wait for you to say its now entirely secure.
Wow, personal attacks. Do yourself a favor and go see a shrink. Your self-esteem is apparently as withered as the Grinch’s heart.
Way to rise above those personal attacks. Nicely done.
You’re not worse than the original poster.
Thom is a misinformed douche bag.
Whoever lets him post articles to this site should be shot.
He’s right, complacency breeds insecurity. Don’t take it personal, take it for what it is, some damn good advice.
Security must be designed in from the start, must be rigorously tested, and must be verified. Otherwise it’s worthless.
Thom wrote …Security complacency, often seen in OSAlert’ comments sections…
I’d just like to point out, the statements Mr. Cox made weren’t aimed at the media or at the vast majority of osnews commentors. They were aimed at developers. An analogy would be that my theories on the cosmos’ creation don’t effect astronomers.
The danger isn’t that writers and OSS fans say that Linux/BSD/Apache/KDE/etc. are bug free. The danger is when developers believe it. My beliefs don’t effect OSS code quality because i don’t release OSS code. However those belonging to people writing widgets to enhance Gnome do matter.
It’s an old lesson, hubris brings ruin.
He rattled the OSS fundies’ cage.
Open Source, like closed source, has some downfalls.
News at 11.
He rattled the OSS fundies’ cage.
Open Source, like closed source, has some downfalls.
News at 11.
And how we all must be rattling your cage. No “OSS fundie” is saying, “NO!! That CAN’T be true! That’s IMPOSSIBLE!”
That’s a job we leave to Windows fanboys.
I touched a nerve, eh?
Not very much rattling in my case but more like a good chuckle.
I agree, complacency about security is bad.
However, about the complacency seen in OSAlert comments…
That’s a very dumb comment. Signature-based anti-virus never worked on Windows either, it’s only good for the certificate you get.
If systems were built with the principle of least priviledge in mind, viruses would be extinct. UNIX was ahead of DOS in this area by miles for long. With NT (and now Vista) MS is catching up though. Linux is still more advanced, think SELinux; But, what is that’s worth if nobody is using the feature?
“think SELinux; But, what is that’s worth if nobody is using the feature?”
Bingo. Once security “features” become to much of a pain in the ass to implement, they will be circumvented. This is absolutely true of not only end-users but sysadmins as well.
Bingo. Once security “features” become to much of a pain in the ass to implement, they will be circumvented. This is absolutely true of not only end-users but sysadmins as well.
I think that says everything about my relationship with Norton on Windows.
I am a sysadmin, and I do have SELinux disabled on most internal servers.
I should do more research on it, understand how it functions better, and implement it.
Will I ever get the time? Probably not or will just forget about it.
Do you think you’ll “ever get the time” to recover the losses once you’re hacked? How about the losses to others due to your incompetence/ineptitude? Have any personal data on your internal servers?
Caught a clue yet?
Do you think you’ll “ever get the time” to recover the losses once you’re hacked? How about the losses to others due to your incompetence/ineptitude? Have any personal data on your internal servers?
Caught a clue yet?
Yes, he does, or at least his comment was written as such. I can only say for my self on this, I’m guilty as charged too.
To be truthful, SELinux is a blank spot for me. Ok, I’ve written a policy or two (nothing special, but in reality very time consuming, although in that time I haven’t known about http://seedit.sourceforge.net/ and there was no gui helpers as they exist in FC6 now), I try to run my servers with SELinux enabled (except in some cases, where the reason for server doesn’t work with SELinux). But, do I really know what SELinux is? Nope, I often catch my self avoiding the problem by the measure of “the easiest” instead “the best” approach. And this is the point I’m not really proud.
There simply is not enough time to know all. But, maybe now that more friendly tools are at hand will be a better time for SELinux.
So have you ever tried AppArmor?
Yes, AppArmor is great. That doesn’t change the fact almost nobody is using it though. I hope that is changing.
For example: How many Linux users are restricting their Firefox’ access their personal/company documents, thus mitigating data disclosure if future Firefox bugs are exploited? 0.01%? How many should? 100%.
I may be wrong but I believe that the remark about complaceny in the osnews comments referred to the blatant “linux is secure because there are no viruses” / “linux is secure because it’s not windows” attitude seen in comments. That is definitely not a dumb comment, in fact it’s quite true.
I may be wrong but I believe that the remark about complaceny in the osnews comments referred to the blatant “linux is secure because there are no viruses” / “linux is secure because it’s not windows” attitude seen in comments
You must be wrong then. The most comments are not complacency at all, but more answers to blatant “Windows is as or more secure than Linux” attitude. These comments then says Linux is more secure than Windows, but sure enough never says Linux is more secure than anything, is absolutely secure, is secure because there are no viruses, is secure because it’s not Windows, or is more secure than OpenBSD.
That you believe the strawman here is your problem actually.
That is definitely not a dumb comment, in fact it’s quite true
It’s dumb and quite wrong. People who would say things like this one are so clueless they couldn’t do anything about the security of their OS anyway.
Fortunately, if these people say this, it is because they have no security problems on their Linux box, compared to every Windows box they’ve known, which is thanks to the fact that distros do the right thing, and so already follow the policy that A. Cox reminds us of.
So there is actually nothing negative said about Linux community or Linux itself by A. Cox, except in this really dumb comment and in your post (and several others).
The ad is so gigantic and covers up everything but the last 4-5 paragraphs. Very irritating. I’ll be sure to _not_ buy a blackberry now (that’s what’s being advertised).
I have two words for you: Firefox. Adblock.
Without being complacent, there *are* reason why Linux is more secure than Windows: the big separation from normal user to root in Linux which don’t exist in Windows where nearly everyone is running with administrator privilege and without those privilege, the ‘Windows experience’ is very bad.
This separation explains why there are many Windows virus and nearly zero for Linux.
Now does this means that Linux is safe?
No, of course, Linux as any OS is only safe if you: update it regularly, use a firewall and do not install software from untrusted sources.
And as RedHat and Suse show, major Linux distribution are interested in security and they’re adding even more security mechanism..
With plenty of root exploits user level protection can’t be effective. On any machine with recent non-beta nvidia driver a malware is able to get root access through a known exploit.
There are other reasons for lack of malware on linux (besides user level right restrictions):
Fragmentation – exploit won’t for sure work on 90% linux machines ou there, compared to windows situation.
Users – Linux users are often power users (users with needed tech skills &/or system understanding) which know how ot avoid getting infected and can protect their machine). Same goes for windows power users, but they are a very small minority. Let’s face it, an user running linux most often even wouldn’t try to execute “britney.sh” file.
Market share – u”nderground” professionals doing spamcollection/dialer/scam malware still aren’t interested in Linux.
Market share – u”nderground” professionals doing spamcollection/dialer/scam malware still aren’t interested in Linux.
They run it themselves?
The title suggests something is wrong with OSS software itself.While Alan Cox only warns for a false sense of security.
It is always good when someone reminds you to have a secure systems. ( and frequent Backups ). If Linux is secure is sue to people like Alan who have a deep understanding and had work hard on security.
I most private companies security suffer when deadlines are tight. They sometimes think that obscurity will be enough. Open source hackers tend to be more concerned, but they should keep working like they had done before.
So there is actually nothing negative said about Linux community or Linux itself by A. Cox, except in this really dumb comment and in your post (and several others).
A.Cox rightfully warned for a false sence of security.Now and then people need to wake up and see things in the right perspective.Security is a process and education is one of the many facets.
My problem is with the rather suggestive title as if OSS faces significant more problems then closed source.Or better yet as if there’s something terrible wrong with OSS while Mr Cox only warns against a false sence of security.
I think Mr. Cox has a point. If a virus was released today that specifically targeted lets say a Xorg flaw that comes through a Firefox security hole, how many linux users are actually protected from it and that there is a linux virus scanner that is capable of picking it up because of the way it analyzes codes so anyone with this Virus scanner is protected. How many linux users out there use a virus scanner? How many do not and rely on that assumption that linux is secure? Would the same people trust Windows Vista to run without a virus scanner? Probably not.
A virusscanner is better then nothing although i prefer SELinux,AppArmor or RSBAC or both a virusscanner and a mandatory access controll mechanism.
The “good guys” are running per defition behind the “bad” guys.
What if a hole in clamav (popular *nix virusscanner) is exploited via any popular web-browser?
On Fedora clamav amongst a lot more deamons/apps is protected by SELinux.This decreases the people who are still capable of crafting something malignant.
Security doesn’t grow on trees; not even for Linux.
All Linux users should be aware of these key terms:
* Trusted software source
* Limited user account
* Spam Blocker
* Anti Virus
* Firefox 2
* Firewall
* Sudo/Su
* MAC
Security is not just about software, part of that process is documenting what that software and hardware does. Do you have documentation on the configuration of every server you have? Are all of your machines built in exactly the same fashion and is that documented so if you get hit by a truck, your replacement can take over where you left off?
I am in the process of creating documentation for where I work and this is where you start to find out about the weak points in your security. Do you keep track of which releases of software are installed on your machines, which OS versions and updates are deployed, favorite compile options, etc. Do you know what your application administrators are doing to the systems and why, and are they documenting their changes?
Locking down a system and applying patches and updates is one part of the overall security process.
All Linux users should be aware of these key terms:
* Trusted software source
* Limited user account
* Spam Blocker
* Anti Virus
* Firefox 2
* Firewall
* Sudo/Su
* MAC
Anti-virus is as of yet pretty useless on Linux unless there is Wine installed. And I don’t see why you added Firefox 2 in that list. There are other browsers too. And there just ain’t yet much experience of Firefox 2, so I don’t know anything about it’s security. Besides, I’m not even gonna try it anyway, I dislike Firefox..MAC means MAC address of your network interfaces? Or? And as to firewall, it’d be better to disable all unwanted services rather than just block access to them from outside, ie. fix the problem, not the result.
EDIT: Btw, I just thought to mention here that I do run a few services on my box, like a mail, www and ssh server. I know I probably should use SELinux, but I just don’t know anything about it or what kinds of problems to expect. Besides, as far as I know, enabling it would require complete reinstallation of my Gentoo.
Edited 2006-10-27 19:20
MAC was most likely referring to Mandatory Access Control, which RedHat/Fedora enables by default (SELinux) as well as SuSE (AppArmor)… those are both implementations of MAC.
And I’m sure you all will correct me if I’m wrong, but this is the thing.
It is my opinion that any open source software has the potential to be exponentially more secure than any closed source code. I think of it in terms of numbers…there will be far more developers looking to create/debug/fix code than people looking to hack it. Also, open source code isn’t looking to attract sales dollars. So there’s no push to make aggressive deadlines because of the commitment to the bottom line. When that happens, I believe that’s when the buggy code gets released.
When you have closed source code, there’s a finite number of individuals involved in the programming and they are being pushed by upper management to create so they can sell. There’s a commitment to quality, but I’ll tell you from a manufacturing background that when push gets to shove quality will take a backseat more often than not. Comparing to the open source community, closed source code only has users who have paid for the software and are expecting it to perform a certain way. There’s no community trying to make things better, and when the code gets released to the public the parent company disbands the majority of the original group of developers to have them work on other projects.
So that’s the schpeel. Long story short, the benefits of open source should outweigh the liability of allowing everyone access to the raw code.
It is my opinion that any open source software has the potential to be exponentially more secure than any closed source code.
There are certainly very secure proprietary systems, such as many mission (and life) critical systems. So I don't think that any open source project can be exponentially more secure than proprietary ones – but on average they have the potential to be more secure.
There’s a commitment to quality, but I’ll tell you from a manufacturing background that when push gets to shove quality will take a backseat more often than not.
Well, if security & quality is important enough to customers, proprietary software can be very secure too. But I admit, that this is to seldom not the case.
As for open source projects, the critical factor, is that the project can attract the necessary community to be able to realize the effect of “many eyes” (many of the popular high-interest OSS projects, has certainly attracted the right crowd of security-conscious people).
I don't disagree, that OSS can be very secure (and often it is). But the most secure proprietary systems can compete with the most secure OSS projects.
Rather than seeing OSS as the only way to develop very secure software, I see the advantage in OSS, that it increases the likelihood of the product being developed in a secure fashion.
That alone is a very good reason to push OSS. But there is no deterministic relationship between development model and security level.
I agree with you and see your point on secure proprietary systems having the potential of being as secure as OSS. Maybe using the term “exponentially” wasn’t quite right. But I saw it as OSS isn’t looking to turn a buck, therefore the community surrounding it should be more open to produce the best product they can since it is really their names and reputations on the line when developing for the product. I also agree with another poster in one of the above posts that “secure” software is only one piece of the security spectrum.
I suppose I really see OSS as the ultimate push for development of ideas and innovation. Like Mozilla Firefox forced MS to release a better product in IE (regardless of which brand you wave the flag for). And like the emergence/dominance of foreign cars in America that forced the domestic companies to produce a better product. As long as you have OSS on equal footing with pay services, or software; the product should only get better. It’s competiton that drives innovation, because innovation is usually expensive. Innovation is typically better for the consumer.
I do think OSS still has the ability of being more adept at incorporating new ideas and change, either for security sake or any other part of the overall system. And it’s that speed and ability to change quickly that would make it much more of a viable alternative to any propretary system.
if Alan Cox would’ve posted his thoughts on an OSAlert thread under another name he’d have been modded down in record time