Subject: RE: [OS:N:] OSN - what are the best desktop systems for

[<charles macdonald hrdc-drhc gc ca>]

> From: Chris Spencer <cspencer cait org>
> 
> It's true that open source does not mean more secure, but, if you ask
> security experts if an open or closed system is more secure invariably
> the answer is that an open source system is more secure because of the
> ability for all experts to review it.

Not only can they review it, but fixes can be deployed quickly without a lot of downtime, and without (usually) breaking third party software.  Also since I am sure that Linux packagers all read each others security mailists, once a bug is found and fixed, the Mighty GPL ensures that all the suppliers can pass it on to their customers.


> From: Jeremy Hogan <jhogan redhat com>

> It's harder to infect due mostly to privileges and default privileges,
> not because people don't try. Unix has been around longer 
> than Windows,
> and is still pretty well all over the net. I would suppose that makes
> for a large target body, and if it was worth trying people have tried
> it. there's a whole class of exploit that's not able to 
> spread it's love
> because the system just won't let it.
> 
> But you're right, I became aware of how good MS security had 
> gotten when
> my 8 year old daughter got to see her first porn due to the admin
> messaging port being left on by default on her friend's XP 
> machine and a
> spammer's pop-up exploit. 

AH but Microsoft has been placing full page ads in the paper warning folks to use a firewall, and to install third party security software to guard the holes in the default Windows Installation.

Microsoft leaves everything open so that you can have ease of use.  Your tech support provider can fix things remotely, and now you can have your systems "improved" automatically by windows update.


> > Open Source does not, in and of itself, mean more secure.  
> 
> No, you're right, it doesn't. Linux is more secure due to 
> Unix ancestry.
> Being Open Source means it can be opened for third party/friendly
> analysis, though. 
> 
> > Sure, there may
> > be more *opportunity* for someone to discover a bug from a 
> source code
> > review, but from the Linux users I've worked with (and I 
> see plenty in the
> > enterprise space), they are not looking at source code.  
> 
> No, but the developers making the software are. Oh. I forgot, you only
> acknowledge this nebulous cloud of developers, they must be the only
> folks you can count on. 
> 
> IBM, last I heard, and Novell, and Sun also had pretty 
> significant Linux
> initiatives. Apple has a ton of Open Source software running. 

I forget which list it was on, but I noticed the other day a security bulletin which credited Novell with finding a hole in some bit of software. Many folks all doing their normal Quality control with the same suite of software will likely find more holes (and fix them) than any one entity no mater how large can find, just because all these organizations have different corporate culture and therefore the employees who do security checks will all look at different aspects.


> Oh, I know, the customers! I know that Amazon cares about security. So
> does Morgan Stanley. As does AOL (ha, I can mention them, they only
> *used* to be competitors to MS)!

> Wait... the DoD, CIA and NSA are running and testing and 
> contributing to
> the security of Linux. Surely *they* must know about 
> security. And they
> *all* have money to buy whatever works for them!

And Unlike the case where say DoD notifies Microsoft of a problem they want fixed (I am sure they get the fix!) when A Linux vendor gets notified of the problem, it is likely to get fixed in all the major distributions within a month or two.  (even if the changes are not publicly announced)

A friend of mine at Public Works and Government Services Canada was invited to set up a panel on security at the last GTEC conference (http://www.gtecweek.ca/ ) and he is working on making the results available in an openly updatable format, (I am not sure if he has officially "released" the URL..)