When a member of Hampshire LUG pointed me to a "security podcast", I thought I'd have a listen. Ben Chai chats to Peter Woods "about a Microsoft Vista vulnerability" but in fact spends pretty much the whole podcast trying to goad Peter into slating the security update process of Linux distributions. He does this quite, quite badly.
The podcast is in bold italics. My comments below.
"With the long hair and the pony tail I thought you'd be a Linux fan"
Yay stereotypes!
"We're on a security conference so I guess we should mention security. Security, security security. That's done that bit"
Useful (for a security podcast).
"There must be just as many vulnerabilities in Linux that you've come across?"
Compared with what?
Linux is just a kernel, there are of course thousands of applications that run on top of it which may have security vulnerabilities, in the same way that there are thousands of applications that run on Windows, Mac OSX, BSD or any other OS, that have security vulnerabilities.
"There's a different shape of vulnerabilities on Linux isn't there, because you've got a whole combination of different peoples products bolted together"
So on Windows or OSX you're saying people _don't_ have separate products from other vendors? This is clearly wildly inaccurate. People run all kinds of third party products on Windows such as Oracle, Websphere, SAP, Java, to name just a few - from 4 completely different vendors.
" and therefore you might have an ssh vulnerability or you might have an apache vulnerability or whatever."
In the same way as you might have a websphere vulnerability, a SAP one, or an Oracle or Java one. What's the difference here?
The difference is most Linux users get their main applications (like ssh and apache that you mention) from their distribution vendor. Whether that's Red Hat, Ubuntu or SuSe, all the vendors provide a security update mechanism. All of them allow for the operating system and the applications on top of it to be updated at once.
" So surely under a Linux environment because the vulnerabilities are coming from so many different bits of software it's harder to patch"
HAHAHAHAHAHAHAHAHA. No.
I click the little update icon on my desktop and everything gets updated. Not just the core, (kernel) Linux. Everything. If my Linux vendor issues a security update for any product that I am running, I'll get it. I don't need to go to the vendor websites for each product I run (as you do on Windows), I just click the button.
Similarly on a server environment I run one little command and it updates the system for me. It's a well documented command, and running it is trivial. It can even be scheduled to check for updates and email me when there are some, so I don't need to go and check all the time. This is all standard functionality in many Linux distributions that's been around for a very long time.
"It's probably more work to patch"
BZZZZT! Wrong answer. You click the little update icon or run whatever the command is to update your system. It's trivially easy, really, honestly.
"you have to be more involved in it, and typically Unix and Linux people are more involved with their system"
If by "more involved" you mean "have a clue" then yes, you're probably right.
If you mean "has a hard line interface directly from their brain to the motherboard" then, no, sadly not.
Of course if I did choose to download the source code for every package I ran and manually compiled, installed and configured each one, and then subscribed to all the security update mailing lists and download the patched source, compile and update then it would indeed be painful. But people just plain don't do that. (ok, some people with lots of time may but the vast majority of Linux distro users don't).
"Most Unix, Linux command line operating system people tend to be more technical,"
This is indeed often the case. But why focus on the command line? Linux distributions have had a GUI for quite some years now.
"more involved in the installation process and the patching process"
Historically the installation process of Linux distributions has been difficult. We have had to content with unsupported hardware and quirky installers. Combined with the fact that the vast majority of computer users never even see an install process because their OS is installed for them (with no choice) at the factory, people notice the Linux installer, because they have to use it.
But for a good few years now the install process has been pretty smooth. We have graphical installers, autodetection, better out of the box hardware support than any other OS and time spent on making the install process as smooth as possible.
The same goes for patching. As I outlined above, patching a Linux distro is a trivial task.
"Surely that prevents it from being a totally commercial for small business, because then they'd have to think about patching this bit of the operating system then that application and most small business owners don't even understand how to use the mouse
"At least with Microsoft " ... "at least they've got the Microsoft update that updates their system"
Gah. I give up.
You too can enjoy this pointless wibble by clicking here.
I did try to leave a comment on their site but it had a broken comment system.
I'm sure you've heard the
I'm sure you've heard the aphorism:
DO NOT FEED THE TROLLS.
Especially don't link to them. If you do, they've won. All they want is attention.
Heh fair comment.
I have, and you're certainly right to a degree.
I did consider making the urls not links but then figured I'd make it easy on the people who visit my site (and the planets it's syndicated on), and maybe if they have a tiny clue they'll see the referrers in their logs and maybe respond.
Maybe they'll ask to interview me ;)
We can but hope.
Such ignorance is just plain
Such ignorance is just plain sad.
ease of admin
Yes, Unix sysadmins tend to know more about what happens going under the GUI interface. Yes, they also tend to have higher salaries. Yes, they also tend to look after more machines (the last time I actually _saw_ numbers was some time ago TBH, but it was about 4-10x the number of boxes per admin). OTOH when things go wrong, understanding what is going on is far better than the reboot/reinstall attitude that many people have (more prevalent in Windows land).
Security can be an awkward beast - 9/10 doesn't cut it. A bit like most computer things in fact!
This attituide is too commonplace unfortuanly,
This attitude is too commonplace unfortunately, the main thing I'd say is the problem is that these windows fans concentrate their attention on the old archaic ways of linux.
That is totally true!
That is totally true!
Try to comment on this...
Lol, i tried to leave a comment on their blog. They don't let me. I' vot got to answer the question "Spam protection: Sum of + ?" Hmmm, can they see, that i'm using linux? :D
Yeah
I got the same. Just installed Firefox under WINE, and it does the same. Maybe it's just broken :)
Yup, just plain broken...
I get "Spam protection: Sum of + ?" as well, and that's tested under a fully patched Windows XP Pro SP2 with Internet Explorer 7.
There is one comment though, but don't ask me how. That has a link to this entry syndicated on linuxindex.com and a brief quote!
Hmm
Linuxindex looks to be yet another site with an install of some rss aggregator and a bunch of google ads to make revenue out of other peoples content. Quelle surprise. I used the trackback url on my blog post which is why it shows up on theirs. But I suspect they have to authorise each trackback, so they clearly let that one through and not ones direct from my site. hey ho.
Post new comment