Bill Gates publicly stepped down from his position at Microsoft on June 27, 2008. He will not be missed, at least not by me, nor by many Linux users around the globe. There is a lot of speculation in the blogosphere as to what this means for Linux over the next few years. Some see it as the inevitable demise of Windows, the beginning of the end, but I’m not yet convinced.
When asked what will become of Linux when Linus Torvalds is no longer involved, advocates are quick to respond that Linux is a product of the community and relies not on one man, but on an underlying framework of goals, practices and beliefs. So, too, it is with Microsoft. Gates’ departure may be portrayed as the loss of a beloved general or king, but his absence may very well make room for the innovative minds needed to lift the company to new heights.
Let’s not count our penguins before they are hatched, my friends! There is much work yet to do!
In January, I wrote at length about the perception that Linux is not ‘officially’ supported. Yesterday, Linux-Watch released some figures that demonstrate how much of work toward the development of the Linux kernel has been contributed by paid professionals hired by large, profit-seeking corporations. Yes, I said paid professionals.
Two great quotes from Linux Foundation Marketing Director, Amanda McPherson, can be found in the last few paragraphs, both in relation to the unthinkable notion that profit-seeking companies would expend resources (money, time, people) improving something that they do not exclusively own and cannot sell. She notes that a savings from shared R&D costs do ultimately impact the bottom line (i.e. profit increases due to a decrease in expense, not an increase in revenue). I suspect that she wouldn’t be mentioning this if the cost savings weren’t (or weren’t expected to be) material.
McPherson also notes that “it’s difficult for most people to get their minds around competitive mass collaboration.” Indeed, this is what the freedom afforded by Linux is all about. People (and companies) contribute not for humanitarian reasons, but because they expect a benefit. Work together to create the best platform, openly usable by everyone, and if it still doesn’t meet your needs perfectly, you are free to change it accordingly. Everyone wins. No compromises.
Here is an interesting post from The Angry Admin ‘blog. The basic point being made is that Microsoft has succeeded in corrupting the ISO standard-setting process, attempting thereby to shake the faith in it and the standards that arise from it. Perhaps the title of the post should have made reference to the death of ISO, not ODF. Near the end, the company’s proficiency in FUD is highlighted; but, if true, it also reveals a slight difference from Microsoft’s typical modus in that a stalemate was considered acceptable. When it’s not winning the game, the company usually either bullies the other kids until it is declared the winner or picks up its toys and goes home; in this case, it opted to raze the playground. Could this be a sign of a weaker Microsoft? Maybe, maybe not. Time will tell.
Monday, the Associated Press released a story on Wal-Mart‘s decision to discontinue the line of Everex Green gPCs in their brick-and-mortar stores. It appears that the retail giant has discovered that the demand for low-cost ($199USD) computers is much higher online than in the stores, so they decided to make the offering a web-only one, freeing up valuable floor and shelf space for other products that do sell well in the stores.
I have several news readers on my iGoogle homepage, and watched yesterday as the headline made it through each. I was intrigued by the way the story mutated as the day progressed. For example, the first headline I saw was from Yahoo! News, ” Wal-Mart ends test of Linux in stores“. LinuxInsider didn’t alter the story much, but the title was different, “Wal-Mart Yanks Linux PCs From Store Shelves“. The tone of the new title is not as objective, but slightly more disparaging. It gets deeper. According to Linux Loop, though Wal-Mart hasn’t given up on Linux completely, they have failed to “really give Linux a fair chance“. Actually, a search for Everex on the Wal-Mart website shows that the gPC is making way for the gPC2 and the Cloudbook and gBook laptops, all of which offer gOS Linux.
The worst headline I crossed was from Wired, “Middle America Hates Linux, Wal-Mart Discovers“. Following the link, the article title actually read, “Middle America ‘Rejects’ Wal-Mart Linux Experiment“. The link was obviously a teaser. Regardless, the article had a sarcastic tone, quite a departure from the original story. The main theme shifted from Wal-Mart customers are not buying gPCs from brick-and-mortar stores to Middle-America hates Linux. Come on now, get serious!
Here’s a reality check. Love ‘em or hate ‘em, Wal-Mart knows a thing or two about inventory and logistics. The company has a grossly-adequate volume of sales data to assist in pricing decisions. With unprecedented buying power, there is little left to squeeze out of suppliers. The magnitude and capabilities of the company’s logistics network are nothing short of breathtaking. Honestly, when the company’s spokeswoman says that “this really wasn’t what our [brick-and mortar store] customers were looking for,” I tend to believe her.
I’m certainly glad that the article pointed out the difference in demand between the online shoppers and the rest of us (hence, the qualification added to the quote above). To state it explicitly, the Everex Green gPC is not what offline Wal-Mart customers demanded – this pairing of product to market segment is key to understanding the decision that Wal-Mart made. It does not mean that nobody wants the gPC. It only means that selling the gPC in Wal-Mart stores is suboptimal in the current market. There are many varied reasons why this is true, but without more specific data, any attempt on my part to explain them would be purely speculative. Besides, it appears that ThinkGOS is already providing some explanations, media damage control which will undoubtedly get less press than the original story.
Personally, when I go to Wal-Mart, I am usually picking up groceries, lawn or car maintenance products, Christmas decorations or parts to repair the plumbing in the bathroom. I do not buy music there as I do not support censorship, and I do not typically think of Wal-Mart when making major computer system purchase decisions. It doesn’t necessarily stem from their offerings (which are big name brands) or their price (which I do find just a tad bit higher for some electronics items) – Wal-Mart just doesn’t scream “computer store” to me. I doubt I am alone in this.
Finally, I’d like to add that while the bulk of this article concerns Wal-Mart and Everex, and to an extent Linux, the AP still felt it was necessary to give Microsoft billing in the very first line (not that Redmond minds the much-needed free advertising, of course)! The AP just wants to make sure that everyone knows that this was a Linux-only phenomenon and rest assured that sales of machines loaded with Microsoft Corp’s Windows operating system were in no way impacted. Thanks y’all! A link to www.linux.com or to Wikipedia would have been sufficient.
Linux FUD Pattern #5: Linux is not secure
There are some out there who would like for you to believe that Linux is unsafe. What better way to instill fear than to form doubt in your mind about a system’s abilities to protect your data?
A reason for the supposed lack of security often cited in FUD is the origin and maintenance of Linux in the “hacker” community. The term “hacker” has evolved from a term of endearment to one associated almost exclusively with cybercrime. To say that Linux was created and is supported by hackers gives the impression that the OS and its related applications are riddled with built-in security holes, backdoors for gaining system access, spyware for purposes of identity theft, hidden network tools that help intruders cover their footprints as they travel from machine to machine through cyberspace, and any other sort of malicious software for various and sundry purposes. To “hack” no longer means to “tinker” or to “fiddle with”, but to “break into” and “cause harm”. The term may conjure mental images of a scene from a horror movie, an evil man with an axe about to hack his way through the door to the house protected by the dark of night. Such is the imagery used to spawn fear.
Let’s examine Linux security by answering two questions. Do security components exist? And, can they be trusted?
The components required to make a system secure depends on many factors, because different systems are used in different ways by different people. Moreover, a weakness in a system’s security may be mitigated by strengths in some other compensating controls. There are some basic options that are commonly used to secure systems, all of which are available on Linux.
Password protected login is the hallmark form of authentication. It is easy to implement, easy to use, can be highly effective, doesn’t require additional/expensive hardware and the expectations and conventions surrounding it are already present in modern culture. Sure, there are more advanced biometric devices such as palm readers and retina scanners, but the relative cost in money and effort of implementing these safeguards for the average home user and for most business desktops is prohibitively high. There are two aspects to password security: the strength of the password itself, and the authentication scheme behind it. Password strength is the responsibility of the user, not the OS. Most Linux distros either require password protection or at least have it enabled by default. Usually, the passwords are protected on the local system by shadowing and various schemes such as Kerberos can be used to protect the transmission of login information over a network.
Related to password authentication is the file system permissions granted to users once they’ve logged in. Linux and Unix use file-based permissions, denoting how the owner, members of the owner’s primary work group and the “world” of users on the system can interact with each file or directory. Privileges do not cascade as they do with other operating systems that use Access Control Lists.
Network security is a broad topic encompassing the combined abilities of the OS, applications, network devices, administrators and users to detect and/or prevent a breach attempted across a network connection. A basic way to accomplish this is to disallow certain types of messages from reaching the computer; this function is usually performed by a firewall server or program that monitors network traffic and filters communications based on predefined rules. Every computer that communicates over the Internet uses the TCP protocol, which allows for approximately 65,000 possible “ports”. These ports are similar to radio stations or TV channels; each application that needs to communicate does so using one port. Ports that are not used by an application but are still available for use (“open”) can be exploited. Port scans are a good way to determine if a system has any open ports that are not being used. Firewall capabilities are built into the Linux Kernel and several good front-end packages are available for configuration, monitoring and reporting purposes.
All of the safeguards discussed above constitute protection around the data. What about protection of the data? A data file can be encrypted thereby changing the contents to an encoded, unreadable format. The content is usually restored using a key or a password. E-mail can also be encrypted prior to transmission. GNU Privacy Guard (GPG) is a Pretty Good Privacy (PGP) compliant application that implements public key cryptography on multiple OS platforms, including Linux. Of course, constantly having to decrypt and encrypt every individual data file before and after use would be painful; instead, entire file systems can be encrypted by the system and several cryptographic file systems exist for Linux. It is also possible to create a loopback device, which is a file that can be mounted as an encrypted file system similar to the commercial product Cryptainer LE by Cypherix.
So, the components do exist. Now, the question remains, can these components be trusted?
FUDsters will argue that any security software for which the source code is freely available to the public is inherently not secure. This is based on the assumption that the source code will either reveal the secret functionality that makes the security software work or expose bugs in the security software itself that can be exploited as well.
First, if someone cannot open their source because they are afraid it may reveal secret functionality, then it wasn’t properly designed from the start. The worst-possible example of this is hardcoding passwords in programs, especially if they are scripts stored in clear text. Good security schemes, such as encryption, rely directly on information the user provides, and often make use of one-way functions.
Second, Open Source software is available for public scrutiny. If you cannot read and understand the code yourself, rest assured that there are many folks out there that can and do. Why? Because many businesses do actually use Open Source software and have everything to lose if they don’t test it out first. That being said, I consider many corporate “testimonials” sponsoring one OS or another based on security or other factors to be FUD, mainly because they often appear in paid advertisements and seldom reveal the details of tests performed to lead to such conclusions. Independent certification and research performed by government or other nonprofit entities are usually the most objective and reliable.
Aside from learning the code, another way to test an application’s security strength or to see if it transmits private data is to watch (or “sniff”) the port on which it communicates using a network monitoring tool. Such data may be encrypted, but the (data) size and timing of requests made by the client software should be consistent and reasonable. This is a technical task, but a bit easier than learning how the code works. Just remember, sniffing outside of your own network may be considered illegal.
Finally, there are many Linux opponents that would jump at the chance to expose real security weaknesses in Linux and its applications. These are often vendors of competing software and have both the money and channels to make themselves heard. When such a claim appears on the Web, look for specific details about the vulnerability. If there are none, it may be FUD. Also, check the software website to see if the vulnerability has been acknowledged or refuted as well as any status on its repair. Never take such claims at face value.
Here’s a few tips to remember to help protect yourself.
Any security expert worth his salt will tell you that physical security is the most important aspect of system security. If physical access to a computer is available, then it is usually just a matter of time before the system will be compromised, regardless of operating system. Obviously, the probability of such breaches skyrockets for laptop users, especially when so few (based on my own observations) choose to utilize even the most primitive of safeguards, cable locks. Also, I’ve not seen any major headlines on this so far, but Live CDs, as wonderfully useful as they can be, are ginormous threats to the security if physical access is available. This is because most Live CDs provide superuser access to a system and all of its devices. It is best to keep computers under lock & key whenever possible.
One of my friends from university used to work in an engineering lab on campus. He had set up a Linux box on the network, with full consent of the administrators of course. But one of the the permanent staff members approached him one day, asking how he managed to cloak his machine from the nightly SATAN network scans. The answer was simple! He turned the machine off before he left each day! Turning a machine off or at least disconnecting it from the Internet when not in use will deprive the would-be attacker the time needed to successfully break in using a brute force attack.
And, as always, be careful what you download. There is always a chance that someone will write spyware or malware for Linux. Stick with applications that have large communities and good reputations if you can. Search the Internet for evidence that an app may not be secure before downloading it. To quote the the Gipper, “trust, but verify”.
|<< Go To Part 4||Go To Part 6 >>|
by Kevin Guertin
IBM believes Linux is finally ready for the corporate desktop.
In an announcement this week at the Lotusphere 2008 conference in Orlando, IBM said that it will provide full support for Ubuntu Linux with Lotus Notes 8.5 and Lotus Symphony using its Open Collaboration Client software, which is based on open standards.
Antony Satyadas, chief competitive marketing officer for IBM Lotus, said the Ubuntu support for Notes and Symphony were a direct response to demand from customers. Lotus Notes 8.0.1 has limited support for Ubuntu Linux, but customers have asked for broader capabilities, he said.
Based on Slashdot comments from users, this isn’t such a great announcement. Some go as far as saying that it will be the death of Ubuntu. Canonical, on the other hand, has said that the availability of Notes and Symphony for use with Ubuntu will be a win for customers everywhere.
Although I’ve never used Lotus (and don’t plan to), apparently over 100,000 business users are interested in moving to Ubuntu Linux on the desktop. That number is a good chunk. If it helps to squash FUD, I’m all for it. Especially for Linux on the business desktop.
What do you think? Will this really be the Death of Ubuntu or will it definitely help solidify Linux/Ubuntu in the corporate world?