Letters to the editor

Security & Open/Closed Source

I find it interesting that the same community which (rightly) lambasts
Microsoft for concealing security problems with their programs now cries
foul when somebody exposes an open source breach that hasn't been patched
yet.
 
isn't that the main argument Microsoft makes about not wanting to
publicize security problems? (Granted, I think most of their arguments
are absurdly self-serving.)
 
How can we complain about Microsoft getting angry over disclosures of (as
yet unpatched) security problems, and then not hold Apache to the same
standard?
--
 
 
Casey Bralla
Chief Nerd in Residence
The NerdWorld Organisation
Vorlon@NerdWorld.org

Comments (3 posted)

Security vulnerabilities...

IF a security, or other, bug turns it in my software the bug reporting
procedure is simple: send an email to me, The email address is in the
README file if not elsewhere as well. Ideally send me a patch, way to
reproduce, or at least some indication the location of the bug. Hopefully
the fact I supply source makes the latter easier to do :-) Given a
non-stripped binary and core dump then typing bt in gdb would give me
quite a few clues a significant fraction of the time.
 
Given only stripped binaries then there is little I can tell M$ if windows
crashes, as it does regularly for lots of people---newer versions are
better than older ones but both still crash pm a regular basis, have
memory leaks, etc. Very few people report these because the circumstances
which trigger the bugs are obscure and it is "normal". M$ has done nothing
to fix them for ages. Some of these bugs are probably usable for security
exploits but nobody really has any clues until some back hat demonstrates
them (or a white hat discovers them and reports them to M$ and security
mailing lists).
 
I would expect contacting one of primary developers, which is presumably
findable in a README file, would be an appropiate place to send a
security hole to so it can be closed. Finding a good vendor contact is
often a lot more difficult.

Comments (none posted)

Matthew, you told a pork pie

> since Corel abandoned its effort, no vendor has concentrated
> strictly on making Linux friendly enough for newbies
 
Mandrake and SuSE have for years both been heavily focused on making things
easier for newbies. I favour Mandrake, friends favour SuSE.
 
For an example of an isolated feature aimed in this direction, this Mandrake
8.2 box has a standard-looking menu layout, plus a couple of useful extras,
one labelled `What to do?' which has entries like `Use the Internet' leading
to the most common tools (mail, web, news, ICQ, IRC, AIM, etc).
 
This is but one feature of scores. HardDrake sorts out new hardware amazingly
well. In the case of a software modem with only proprietary drivers, it
referred me to a website that I could download the drivers from.
 
While Mandrake and SuSE are obviously putting a huge amount of effort into
making these things easier, and getting results (e.g. WalMart are ramping up
to ship PCs with Mandrake pre-installed, the French government has also
granted them a contract to supply, and never mind the newbie focus 'coz the
Linux audience apparently likes them as a server too), RedHat haven't been
idle, and nor have other teams like Debian. Have you tried Debian Jr - for
kids! - yet?
 
Another distribution which (sigh) needs mentioning is Lindows. Easy to use,
yes, but also running as root, and potentially with no password. Expect to
see cracks targeted at that vulnerable arrangement as Lindows gets market
share - if it does, they're not exactly bending over backwards to comply with
the GPL for the software which they have already fielded.
 
Finally, while Gentoo isn't so easy to install (and what newbie installs
their own OS anyway?), it certainly is easy to maintain and runs well on
older, less able hardware.
 
Returning to the main point, ease of use: it isn't everything, but in this
case you can have your cake and eat a certain amount of it too.
 
For example, if you equipped a new computer lab with dual servers and 20
Mandrake LTSP terminals all built from COTS hardware, you would have 20
easy-to-use and even MS-Office-compatible workstations with 17" screens,
accelerated 3D, sound and optical mice for around AUD$20,000+GST (USD$11,300,
GBP£7,400) including hubs/switches and cables. Power on, and in seconds
you're working. I have a baby network like this running in my shed as I type.
 
Ease of use goes beyond clicking on WIMP features. You can layer Mosix onto
this and have the equivalent of a 37GHz supercomputer at your disposal for no
extra cost beyond labour (install package, configure, start service). Updates
can even be completely automated by running one service. That's a lot easier
to do than drumming up the money to buy a supercomputer, and demonstrates
ease of use for the support people as well as the users.
 
You really should know what you're talking about _before_ you put finger to
keyboard for an article... and a public error requires public correction.
 
Cheers; Leon
 
 
PS if you're a SlackWare fan: you haven't been overlooked. SlackWare have
never claimed that their distro is easy to use. If this is a deliberate
policy, while it costs marketshare it does drive up the quality of
fana^H^H^H^Huser.

Comments (none posted)