LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-07-2010, 08:50 PM   #1
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Arrow Security vs. Popularity


Quote:
One idea in particular keeps coming up in discussions amongst IT professionals and software partisans: that the popularity of a piece of software is inversely correlated with its security. The assumption is that greater popularity of a piece of software makes it a more tempting target, and being a more tempting target makes it less secure.

There is some truth in that idea, but not nearly as much as many people think.
Complete Article
 
Old 09-08-2010, 12:23 AM   #2
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297
Nice article! Thanks for sharing.
 
Old 09-08-2010, 10:26 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by EricTRA View Post
Nice article! Thanks for sharing.
I'm glad you liked it. I liked it too.

I think the criticism the author made of Ubuntu made a lot of sense, and I say that as an Ubuntu user. In any case, the whole security vs. popularity issue is one which I run into IRL discussions quite often, and the article seemed (to me at least) to provide some fresh, interesting perspective.

Last edited by win32sux; 09-08-2010 at 10:40 PM. Reason: Grammar.
 
Old 09-08-2010, 11:58 PM   #4
EricTRA
LQ Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297Reputation: 1297
Quote:
Originally Posted by win32sux View Post
I'm glad you liked it. I liked it too.

I think the criticism the author made of Ubuntu made a lot of sense, and I say that as an Ubuntu user. In any case, the whole security vs. popularity issue is one which I run into IRL discussions quite often, and the article seemed (to me at least) to provide some fresh, interesting perspective.
Hi,

As you pointed out, it does provide an interesting perspective on several issues. If you think about it, in a logical way that is, then the 'bigger' Ubuntu becomes the more attention it might draw. And the more attention drawn to it, in a bad way, the more security holes will be found and exploited until fixed.

Thank God the whole open source community is behind Linux and that it doesn't depend on a 'limited' number of developers to solve the issues. Imagine what would happen if we only got security patches once a month like with 'the other OS'

Kind regards,

Eric
 
Old 09-09-2010, 12:40 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
I really liked the points he made regarding the security ramifications of Ubuntu's increasing user base, not so much from the "bigger target" perspective (which I believe is more complicated than what it seems), but rather from the challenges which are introduced into the development cycle:
Quote:
The influence of popularity has an effect on security through the roundabout effects of a large user base on the way the system is designed. As more people clamor for particular features and interface changes, developers are under increasing pressure to appease those people’s demands. Doing so can easily lead to ill-considered security design decisions, out of control growth of complexity, and development mistakes. This is how poorly secured bloatware generally comes to be.
Quote:
Canonical’s Ubuntu Linux is, with every release, rapidly approaching the sort of bloat we have come to expect and loathe from Microsoft’s flagship operating system. At least in part because it primarily relies on open source software developed outside of Canonical, and benefits from the often better security policies of those outside projects, Ubuntu does not suffer the same rate of creeping corruption of security that afflicts Mac OS X. That creeping corruption is still an ongoing problem, however. Ever-more bloat, ever-tighter coupling between system components, and increasing focus on superficial end user enticements as a higher priority than good system design: these things lead to a system that resembles its more popular, less well secured competitors, more and more all the time.
 
Old 09-09-2010, 04:16 PM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
Yes, very interesting article, it really makes you think. Thank you for sharing!

One of the first things that came to my mind was Canonical's, what I would call a religious devotion, to a 6 month development cycle. I too am an Ubuntu user and have been so since about the release of Gutsy Gibbon a few years back. Since that time there have been 6 major releases, the latest of which appears to be a significant overhaul of the core application. While I am pleased that this has brought a massive increase in hardware compatibility and the vast majority of the system "just works" I can't help but wonder if this trend isn't towards the distributions detriment.

It seems that Ubuntu could very well become the product that brings Linux to the masses, especially in regards to ease of use and ease of installation. I myself have even considered recommending it over Windows to some less than computer literate relatives, largely because of the reduced propensity for malware and viruses and with the latest release think it has reached the point of being easy enough for them to use.

This brings me to another point that the article has made me wonder. What degree does the end user play in the level of security of the OS? Because the OS makes it easier to do something stupid, does it mean that the OS is less secure? Similarly, does having a large, potentially inexperienced user base, create security vulnerabilities for other, more sophisticated users such as those running server type applications?

In the last year or so, I have noticed a dramatic increase in the amount of interest in running ones own server, especially email, file sharing, and web servers. So far there seems to be a high degree of 'tolerance' towards this both from the community and from the ISP perspective. Clearly if one is going to run a server, one has the responsibility to secure it. What is the future of this trend and what does it mean for in terms of 'security' for everyone?
 
1 members found this post helpful.
Old 09-09-2010, 06:19 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by Noway2 View Post
One of the first things that came to my mind was Canonical's, what I would call a religious devotion, to a 6 month development cycle.
FWIW, I too share concerns over their release schedule. Generally speaking, I think it does more harm than good (I'm a big fan of the alternative "it's ready when it's ready" approach taken by other distros). That said, I'm looking at it purely from a security and QA point of view, while Canonical surely must consider other factors that I'm not aware of.

Quote:
What degree does the end user play in the level of security of the OS? Because the OS makes it easier to do something stupid, does it mean that the OS is less secure?
IMHO, the user is key. He/she is almost always the weakest link in the security chain, and the greater the damage that the system (the information system as a whole, not just the OS) allows him/her to do by means of "something stupid", the greater the vulnerability. An understanding on the user's behalf of what constitutes risky behavior can curtail a significant chunk of the threat (as long as he/she is able and willing to cooperate), while mitigating the vulnerability will require addressing the underlying problem. Needless to say, an educated user will have no positive effect on the threat he/she poses with regards to intentional attacks.

Quote:
Similarly, does having a large, potentially inexperienced user base, create security vulnerabilities for other, more sophisticated users such as those running server type applications?
I think it increases the threat, but not the vulnerability. That is, assuming you're referring to the Internet in general. If you're referring to the risk levels of a specific system only, OTOH, then I would say that the training/experience of the user base should indeed be factored in when assessing vulnerability. Social engineering attacks come to mind as one of many fitting examples.

Last edited by win32sux; 09-09-2010 at 06:48 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Sbopkg Popularity Murdock1979 Slackware 35 09-08-2009 01:53 AM
How can linux gain popularity metallica1973 General 65 10-24-2006 09:55 PM
The popularity of Linux joey z General 12 04-02-2006 11:03 AM
OS Popularity bandersnatchy Linux - General 5 10-29-2005 02:07 PM
Popularity of Linux Snowfire Linux - General 1 05-19-2004 07:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration