LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page

 

This page

Previous week
Following week

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Letters to the editor

Popularity does not equal insecurity

From:  Leon Brooks <leon-AT-cyberknights.com.au>
To:  Erica D Smith <ersmith-AT-thebeaconjournal.com>
Subject:  Popularity does not equal insecurity
Date:  Mon, 20 Dec 2004 08:16:08 +0800
Cc:  Bradenton Herald Editor <dklement-AT-bradentonherald.com>, LWN Letters <letters-AT-lwn.net>

Erica, you wrote
at http://www.bradenton.com/mld/bradenton/business/10445192.htm -
> Chances are, if your employees are using Microsoft Corp.'s Internet
> Explorer to surf the Web or Outlook to check e-mail, your company is
> more exposed to viruses and spyware, some security experts say.
 
And they're right.
 
> Is it because Internet Explorer and Outlook are inferior?
 
> Not really.
 
> It's because Microsoft's operating systems and programs are used by
> more than 90 percent of computer users - especially in the largest
> of businesses.
 
Unfortunately, that statement's not quite right. I'm pleased that you included
a few other opinions in the article, but you did not introduce anything to
seriously contradict David Perry's opening statement, or your words
introducing it.
 
Increased popularity makes the market more attractive to writers of
"malware" (the short term for the collection of nasties out there including
browser hijacks, phishing frauds, viruses and worms) and it means that any
individual piece of malware will be tripped over by more people, but it does
NOT increase the number of security holes present in any piece of software.
 
If simple popularity were a strong indicator of vulnerability, then the Apache
webserver would also be attacked disproportionately, since it "owns" more
than two thirds of all web servers, nearly three times as many as Microsoft's
IIS. However, Apache has never had a Code Red, a sadmind, an MDAC
vulnerability or a Nimda.
 
Similarly, the Open Source databases MySQL and PostgreSQL are wildly popular,
widely exposed to the Internet, and have had no MS-Blast attacks. Modern
email servers like PostFix and QMail have never been successfully attacked
despite very wide deployment, and even cranky old SendMail, the grandfather
of all email servers, has a far better track record than MS-Exchange.
 
The context of this statement implies that it's based on David Perry's input,
too:
 
> You can't expect to rid your company of all viruses and spyware simply
> by switching browsers. It will cut the risk, though. That's because
> there are still plenty of viruses that are written strictly for
> Internet Explorer.
 
Speaking from personal, recent, in-the-field experience I have to say that the
reason supplied is fatally inadequate. There are plenty of browser hijackers,
phishing scams and other pieces of malware out there which are designed to
work with any web browser or email client at all, and another large range
designed to work with any MS-Windows-based browser. Based on this, you would
expect this range of malware to continue to bite you even after you switched.
 
Yet switching from Internet Explorer and Outlook (or Outlook Express) to
Mozilla's FireFox web browser and ThunderBird email program deep-sixes a lot
of this malware as well, for the very simple reason that they are built to do
exactly that.
 
Mozilla is not a company with income goals or shareholders, Mozilla is a
foundation established by and for and of Internet users, and this is
reflected in the goals and quality of their products.
 
As a general statement, switching away from Microsoft's products, however
popular or otherwise, decreases your exposure to malware.
 
As another general statement, switching to Open Source software also decreases
your exposure. Because you don't need any special tools to find problems, any
programmer can read them right there in the source code, they are found and
eliminated quickly.
 
Open Source alternatives are available for a broad spectrum of applications;
for example, MS-Office can be easily replaced by the comprehensive
OpenOffice.org suite; Adobe's PhotoShop can usually be replaced with the GNU
Image Manipulation Program (fondly referred to as "The GIMP"); Solitaire
pales to insignificance alongside PySol.
 
With this in mind, a further effective step not mentioned, presumably because
you are neither really familiar with nor comfortable with the alternatives,
is to switch completely away from MS-Windows.
 
The two common alternatives are Linux and Apple's OS X.
 
OS X is initially the more costly to switch to because you have to replace
your computer as well, but the interface is a lot more polished than anything
else out there.
 
The two usual show-stoppers in any attempt to switch away are games and
particular "vertical market" applications. Many of these can be run using a
translation layer called WINE, but not all.
 
The benefits in switching, aside from security, include greater reliability,
accountability and control. Individual pieces of software offer specific
additional benefits; for example, the KDE desktop suite I'm using offers a
degree of consistent integration only dreamed of in the MS-Windows world.
 
There's also up-front cost (which is often zero) to consider, and the reduced
cost of maintenance (both direct and indirect) to factor in.
 
It's a very real and compelling response to any security issues, and yet it
sees no mention at all in this article.
 
> Mozilla is a free software suite [...] the Web browser that comes with
> it is not Firefox or Netscape.
 
This is also not strictly true. Netscape's Navigator is indeed a slightly
stretched version of Mozilla proper, and FireFox is both derived from it and
shares a lot of code.
 
You've done a much more thorough and impartial job than many other journalists
have, including some prominent self-styled technical experts; nevertheless, I
would appreciate seeing an article correcting these points, or an opportunity
to publish an article of my own here which presents them more realistically.
 
Cheers; Leon

Comments (none posted)

Looking for legal and other info

From:  "Arthur Torrey (no spam please!)" <atorrey_at_cybercom.net>
To:  letters-AT-lwn.net
Subject:  Looking for legal and other info
Date:  Mon, 20 Dec 2004 20:13:11 -0500

I have seen various articles from time to time in LWN about efforts to require
governments to consider Linux and other free / open source software as
alternatives to purchasing commercial S/W. I've never had much luck though in
trying to locate sources that can advise me on how to create such requirements.
 
It is on a very small scale, but I'm an elected town meeting member in
Billerica, MA, USA, and as a constant advocate of reducing the size and
expense of government (and Linux advocate) would like to implement this sort
of rule in our town's bidding and purchasing procedures. I'm looking for a
resource that can advise me on how to write such a measure so that it would
(if passed) accomplish the desired objectives. Assistance with hard data as
to why this is a good idea would also be helpful.
 
IANAL, but it would seem to me that such a measure would need to include at
least the following elements:
 
1. A requirement that any software purchase request include a discussion of
FOSS alternatives to any commercial programs, and a cost comparison between
them.
 
2. A requirement that if a purchase request involves both hardware and
software, that bids must price the hardware and software seperately, or
include a price for the hardware with no software other than drivers. (no
jacking up the hardware cost to cover the price of 'free' software)
 
On a more personal note, My GF and I recently started a low carbohydrate
diet. There are all sorts of 'diet management' type programs on the web or
available for MS platforms, but aside from 'GTK Diet Monger Ass Kicker' that I
found on Sourceforge, I haven't been able to find anything for Linux
(Fitday.com is a typical type of web program if you aren't sure what I'm
looking for)
 
  Thanks,
 
  ART
 
(please keep my address munged to stop the spambots!)

Comments (1 posted)

Feedback to grumpy editor on email clients

From:  Carl Worth <cworth-AT-cworth.org>
To:  lwn-AT-lwn.net
Subject:  Feedback to grumpy editor on email clients
Date:  Thu, 16 Dec 2004 11:58:45 -0500

Dear grumpy editor,
 
I'd been using mh-e for email for some time, and recently decided to
take a look elsewhere. (The primary motivation was a switch from
Debian to Fedora for my primary machine, but I'd also been annoyed by
some performance problems and bugs in mh-e for some time).
 
I've now switched to wanderlust and I'm quite hapyp with it:
 
        http://www.gohome.org/wl/
 
This is another emacs-based email interface and so far it seems to
solve most of the annoyances I suffered from with mh-e. The primary
userbase seems of wanderlust seems to be native Japanese speakers
which gives me comfort with respect to encoding bugs I had in mh-e.
 
Wanderlust also appears to perform much better than mh-e. It is happy
to use my existing mh folders, but it keeps a database alongside (in
~/.elmo) to cache sorting, threading, and other internal message
attributes.
 
There are some problems with wanderlust. I spent about a full day
configuring it before I found it entirely useful. The initial color
choices were particulary painful for me, but they may be because I
stick with "emacs -nw" to get the good fonts of my terminal (and
subsequent restriction in color choices). The manual was adequate, but
definitely required reading:
 
        http://www.gohome.org/wl/doc/wl_toc.html
 
And the sample configuration file (~/.wl) provided on the wb page was
very helpful:
 
        http://cvs.m17n.org/cgi-bin/viewcvs/wanderlust/samples/en...
 
It actually contains many of the settings that should be set by
default.
 
Wanderlust supports 11 different folder types, (IMAP, NNTP,
LocalDir(MH), Maildir, News Spool, Archive, POP, Multi, Filter, Pipe
and Internal folder types), but I haven't used anything but mh
yet. I'm grumpy enough to want mail delivery divorced from email
interface.
 
The mail delivery piece is one thing I'm still not perfectly satisfied
with. For me, this currently works through a mishmash of tools,
(fetchmail for transport, procmail for prefiltering and routing
through spam checkers, and nmh for storing into my folders).
 
One thing I was attempting to do in switching from mh-e was to find a
solution that existed within Fedora, but I ended up just installing
nmh anyway. Another approach might be to switch to some other
1-mail-1-file folder type (maildir perhaps?) supported by wanderlust
that perhaps could be delivered to in a simpler fashion. Another idea
I've had is to use some offline imap tool using a native mh store,
(and that wouldn't mind my mail interface from mucking with it).
 
Anyway, that was much more than the quick note I was trying to
send. But perhaps you might look at wanderlust if you're still grumpy
and haven't tried it yet.
 
-Carl

Comments (none posted)

Page editor: Jonathan Corbet

Copyright © 2004, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds