Tim Hardy

Marcus Ranum set up and managed the US President’s email server (whitehouse.gov) during its first year of operation. No one could doubt his security credentials. In this insightful Security Focus interview he shares his worries about the state of computer security and alleges that “80% of corporate desktops are infected with spyware, 15% of them are infected with keystroke loggers”.

The interview is depressing reading. He’s damning about the current state of computer security and fatalistic about the future.

I believe we’re making zero progress in computer security, and have been making zero progress for quite some time. Consider this: it’s 2005 and people still get viruses. How much progress are we making, really? If we can’t get a handle on relatively simple problems such as controlled execution and filesystem/kernel permissions, how much progress are we going to make on the really hard problems of security, such as dealing with transitive trust?

Before Linux users start congratulating themselves on their choice of operating system, we need to get Marcus Ranum to sit down with Linspire CEO Michael Robertson.

Linux, like Mac OS X, is championed as a secure operating system in comparison to Windows XP that, unpatched, will become infected within 20 minutes of connecting to the internet. Michael Robertson is threatening that reputation. He believes that running as root for daily tasks is not dangerous. Desktop users of his company’s distribution will be doing exactly that by default.

Creating a distro targetted at the less technologically literate that allows them to run as root as standard is a disaster waiting to happen.

Robertson defends himself by pointing out that they do have the option of creating non-root users but anyone who would consider that option is unlikely to be installing Linspire in the first place. It will make for disastrous PR for Linux as a desktop operating system when one of his target audience installs some malware in the near future thinking it’s a sexy videoclip of the latest tabloid pin-up and then wonders how their credit card details got stolen. Does anyone think that people will understand that Linspire isn’t Linux? All distributions will be tarred with the same brush in the popular imagination.

It’s as if Robertson has heard the words “running as root” enough times to think he knows what it means only to reveal a fatal ignorance with his decision. I want to say Marcus Ranum is to Planck what Michael Robertson is to Planck’s chauffer but it is not true. Robertson is a very intelligent man but for some reason he is flying in the face of conventional security advice.

Unix/Linux got to grips with controlled execution and filesystem/kernel permissions a long while ago. Dragging Linux back to the insecure by default model of Windows to make it easier to use seems foolishly short-sighted.

Still it might be nice to have some native viruses for Linux at last. So far, they’ve proved difficult to run under Wine.

This entry was posted on Wednesday, June 22nd, 2005 at 11:37 pm and is filed under Internet, Linux, General IT. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.