LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Security vs. Popularity (https://www.linuxquestions.org/questions/linux-security-4/security-vs-popularity-830880/)

win32sux 09-07-2010 08:50 PM
Security vs. Popularity
 
Quote:
One idea in particular keeps coming up in discussions amongst IT professionals and software partisans: that the popularity of a piece of software is inversely correlated with its security. The assumption is that greater popularity of a piece of software makes it a more tempting target, and being a more tempting target makes it less secure.

There is some truth in that idea, but not nearly as much as many people think.
Complete Article

EricTRA 09-08-2010 12:23 AM
Nice article! Thanks for sharing.

win32sux 09-08-2010 10:26 PM
Quote:
Originally Posted by EricTRA (Post 4091080)
Nice article! Thanks for sharing.
I'm glad you liked it. I liked it too. :)

I think the criticism the author made of Ubuntu made a lot of sense, and I say that as an Ubuntu user. In any case, the whole security vs. popularity issue is one which I run into IRL discussions quite often, and the article seemed (to me at least) to provide some fresh, interesting perspective.

EricTRA 09-08-2010 11:58 PM
Quote:
Originally Posted by win32sux (Post 4092036)
I'm glad you liked it. I liked it too. :)

I think the criticism the author made of Ubuntu made a lot of sense, and I say that as an Ubuntu user. In any case, the whole security vs. popularity issue is one which I run into IRL discussions quite often, and the article seemed (to me at least) to provide some fresh, interesting perspective.
Hi,

As you pointed out, it does provide an interesting perspective on several issues. If you think about it, in a logical way that is, then the 'bigger' Ubuntu becomes the more attention it might draw. And the more attention drawn to it, in a bad way, the more security holes will be found and exploited until fixed.

Thank God the whole open source community is behind Linux and that it doesn't depend on a 'limited' number of developers to solve the issues. Imagine what would happen if we only got security patches once a month like with 'the other OS' ;)

Kind regards,

Eric

win32sux 09-09-2010 12:40 PM
I really liked the points he made regarding the security ramifications of Ubuntu's increasing user base, not so much from the "bigger target" perspective (which I believe is more complicated than what it seems), but rather from the challenges which are introduced into the development cycle:
Quote:
The influence of popularity has an effect on security through the roundabout effects of a large user base on the way the system is designed. As more people clamor for particular features and interface changes, developers are under increasing pressure to appease those people’s demands. Doing so can easily lead to ill-considered security design decisions, out of control growth of complexity, and development mistakes. This is how poorly secured bloatware generally comes to be.
Quote:
Canonical’s Ubuntu Linux is, with every release, rapidly approaching the sort of bloat we have come to expect and loathe from Microsoft’s flagship operating system. At least in part because it primarily relies on open source software developed outside of Canonical, and benefits from the often better security policies of those outside projects, Ubuntu does not suffer the same rate of creeping corruption of security that afflicts Mac OS X. That creeping corruption is still an ongoing problem, however. Ever-more bloat, ever-tighter coupling between system components, and increasing focus on superficial end user enticements as a higher priority than good system design: these things lead to a system that resembles its more popular, less well secured competitors, more and more all the time.

Noway2 09-09-2010 04:16 PM
Yes, very interesting article, it really makes you think. Thank you for sharing!

One of the first things that came to my mind was Canonical's, what I would call a religious devotion, to a 6 month development cycle. I too am an Ubuntu user and have been so since about the release of Gutsy Gibbon a few years back. Since that time there have been 6 major releases, the latest of which appears to be a significant overhaul of the core application. While I am pleased that this has brought a massive increase in hardware compatibility and the vast majority of the system "just works" I can't help but wonder if this trend isn't towards the distributions detriment.

It seems that Ubuntu could very well become the product that brings Linux to the masses, especially in regards to ease of use and ease of installation. I myself have even considered recommending it over Windows to some less than computer literate relatives, largely because of the reduced propensity for malware and viruses and with the latest release think it has reached the point of being easy enough for them to use.

This brings me to another point that the article has made me wonder. What degree does the end user play in the level of security of the OS? Because the OS makes it easier to do something stupid, does it mean that the OS is less secure? Similarly, does having a large, potentially inexperienced user base, create security vulnerabilities for other, more sophisticated users such as those running server type applications?

In the last year or so, I have noticed a dramatic increase in the amount of interest in running ones own server, especially email, file sharing, and web servers. So far there seems to be a high degree of 'tolerance' towards this both from the community and from the ISP perspective. Clearly if one is going to run a server, one has the responsibility to secure it. What is the future of this trend and what does it mean for in terms of 'security' for everyone?

win32sux 09-09-2010 06:19 PM
Quote:
Originally Posted by Noway2 (Post 4092851)
One of the first things that came to my mind was Canonical's, what I would call a religious devotion, to a 6 month development cycle.
FWIW, I too share concerns over their release schedule. Generally speaking, I think it does more harm than good (I'm a big fan of the alternative "it's ready when it's ready" approach taken by other distros). That said, I'm looking at it purely from a security and QA point of view, while Canonical surely must consider other factors that I'm not aware of.

Quote:
What degree does the end user play in the level of security of the OS? Because the OS makes it easier to do something stupid, does it mean that the OS is less secure?
IMHO, the user is key. He/she is almost always the weakest link in the security chain, and the greater the damage that the system (the information system as a whole, not just the OS) allows him/her to do by means of "something stupid", the greater the vulnerability. An understanding on the user's behalf of what constitutes risky behavior can curtail a significant chunk of the threat (as long as he/she is able and willing to cooperate), while mitigating the vulnerability will require addressing the underlying problem. Needless to say, an educated user will have no positive effect on the threat he/she poses with regards to intentional attacks.

Quote:
Similarly, does having a large, potentially inexperienced user base, create security vulnerabilities for other, more sophisticated users such as those running server type applications?
I think it increases the threat, but not the vulnerability. That is, assuming you're referring to the Internet in general. If you're referring to the risk levels of a specific system only, OTOH, then I would say that the training/experience of the user base should indeed be factored in when assessing vulnerability. Social engineering attacks come to mind as one of many fitting examples.


All times are GMT -5. The time now is 11:53 PM.