OReilly’s OnLamp site has two articles, Part I and Part II titled “Real Desktop Linux”. Elsewhere, Bruce Perens posted a white paper of his UserLinux initiative titled “UserLinux: Repairing the Economic Paradigm of Enterprise Linux”.
OnLamp and Perens on Desktop Linux
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Userlinux would be great coming out in Retail Boxes. Although I am blessed with broadband, other potential important contributors are not. QA shold be key, as well as a stable package site which provides a seamless system of updates and package installation of STABLE software through a web based gui (similar to Lindows). This is a community movement, and should include users from all over the world. I see this catching on eventually, but not without word of mouth, and certainly not without Retail packaging. Why this may sound like it’s going against the philosphical grain, a certain type of marketing is going to be needed to get the ball rolling.
“This is a community movement, and should include users from all over the world.”
UserLinux itself is not really going to be a community movement. At least, it’s not going to be a community of individuals, but rather a community of corporations (not too clear on how this will work in practise, but I guess more details will be forthcoming later):
—
At the core of UserLinux is a not-for-profit entity in charge of the Linux distribution, with engineering-by-meritocracy as in the Linux kernel. Surrounding that non-profit are for-profit companies that are in the buiness of providing service and engineering for the UserLinux distribution.
—
However, UserLinux is going to be based on Debian, which definitely does fit your criteria – it’s community-run, and the developers are from all over the world, as you can see for yourself on this neat map of DD locations (http://www.debian.org/devel/developers.loc). The plan ism to have any and all improvements UserLinux comes up with integrated back into the mainline distribution, so Debian can only gain from this.
Userlinux will also need to have options. Having a stable branch is great, but you will need to have other branches as well. Not every customer will feel the same, and if there is newer software that will only come out when the next version comes out, then why wouldn’t people just stick with MS?
Also, Userlinux needs to come with extra programs to make it more appealing to businesses. Programs like ghost would be a great boost. something like kickstart, on steriods.
Yet another high-profile Linux compromise: http://slashdot.org/article.pl?sid=03/12/03/1921235
Before Linux could ever have the widespread desktop usage Windows has, these security holes first need to all be ironed out to a reasonable degree.
Tinkerers probably have the patience and the curiousity to learn and master Linux. They are, however, likely to be frustrated with the application offerings: not enough games, not enough device support for things like digital cameras and DVD burners, media center programs that just aren’t polished enough.
In the words of Raiden, “At last … one of them has understood …”
Lol – nice troll.
This argument would only wash if Windows itself were a secure operating system. It’s now nearly two years since Bill Gates announced the Trustworthy Computing initiative, and yet the security vulnerabilities still keep burgeoning forth.
According to this, http://netsecurity.about.com/b/a/026056.htm , Linux is the most breached. With GNU, GNOME, Gentoo, and more all having break-ins, looks like security vulnerabilities “still keep burgening forth” in the OSS community as well.
I understand that there is a Linux bias around here, but you need to face facts and realize that Linux and its software (sendmail comes to mind…heck, just last week, XFree86 had a buffer overflow remote vulnerability) is far from secure.
See http://www.linuxsecurity.com and witness the WEEKLY lists of vulnerabilities and buffer overflows that are announced for all the Linux distros. You just don’t see this copious amount of flaws for Windows Server 2003–which was began after the Trustworthy Computing initiative you mentioned.
As for Microsoft:
http://www.winnetmag.com/windowspaulthurrott/Artic le/ArticleID/41035/windowspaulthurrott_41035.html
“During an oddly-underpublicized security Webcast Monday, Microsoft revealed that hackers subject the company to 2500 to 3000 electronic attacks every day, or over 100,000 a month. Yet despite this massive number of attacks, the last successful intrusion occurred over three years ago, during the infamous October 2000 security breach. But the software giant says the biggest security risk to the company isn’t external electronic attack of its Web properties, but rather its huge fleet of mobile workers and partners–some 60,000 strong–that access the company’s 175 remote access points on a regular basis.
We’ve taken a deep look inside Microsoft to see how we can improve security at every level,” sad Mike Nash, the vice president of the Security Business Unit at Microsoft, during the Webcast. “A lot of the technology we use Microsoft applies directly to [customers’] work.”
Microsoft revealed some other interesting statistics during the Webcast. The company uses Computer Associates’ eTrust security management suite to secure its networks. It uses two-factor authentication (user name/password and smart card) to better secure its intellectual property.”
“looks like security vulnerabilities “still keep burgening forth” in the OSS community as well.”
<shrug>
Different studies interpret different facts to reach different conclusions. For instance, including Sendmail (which has long been superseded by secure alternatives like Postfix) in such a study is bound to skew the results somewhat.
I personally prefer the Open Source approach compared to Microsoft’s re-active attitude, only releasing patches to fix known exploits – many (most?) security advisories for Open Source software are for *pre-emptive* fixes.
Sure, both operating systems have security problems – which is more secure is arguable, although I personally think Linux is far more so. Regardless: your use of the term “as well” signifies that you agree that Windows is not a secure operating system. For the purposes of the argument you made in your last post, it therefore follows that security is obviously not a prerequisite for attaining desktop dominance. This would of course be blindingly obvious to anyone who had used Windows 98, where pressing “Cancel” at the login screen would enable access to the system.
“We’ve taken a deep look inside Microsoft to see how we can improve security at every level,” sad Mike Nash, the vice president of the Security Business Unit at Microsoft, during the Webcast.”
Lmao! Oh, yes… If he says so, it *must* be true… Just like the Trustworth Computing initiative announced ~2 years ago! 😀
Hi folks,
I have a webmail acconun with Yahoo! It is brought to its knees every couple of days with emails from various people. All of them appear to be the result of the Slammer worm (or whatever is the latest worm or virus around).
So far, Windows vulnerabilities have cost me time and effort which equates to money. Also, none (I repeat, aboslutely NONE) of these things are because of Linux, BSD, OS X, BeOS, QNX or any other operating sysyem.
Maybe you should face facts. MS “security problems” are affecting me, and it’s not my fault. Any other OS’s problems have not touched me in the slightest.
So what am I to do? Believe nonsense like your post that seems to insist that MS is suddenly God’s gift to security, or believe the evidence in front of me?
Face facts: MS’s stuff causes me problem. OS X/BSD/Linux/BeOS stuff does not. So who really is the best of security? Hard reality here.
“So what am I to do? Believe nonsense like your post that seems to insist that MS is suddenly God’s gift to security, or believe the evidence in front of me?”
I don’t get the victimhood mentality of Linux zealots.
I never said “MS” was God’s gift to security. I just pointed out the FACT that OSS is as flawed, if not more so, than any other operating system out there.
Somehow, OSNews has become a haven for anti-“M$” trolls. It’s hilarious watching them squirm every week another new high-profile breach is reported. Meanwhile, Microsoft is hit 2500-3000 times a day with no breaches.
“Meanwhile, Microsoft is hit 2500-3000 times a day with no breaches.”
No, you won’t hear of the ones that succeed.
According to this, http://netsecurity.about.com/b/a/026056.htm , Linux is the most breached.
Linux is the most hacked because it takes real skill to get into a Linux box. For Windows, all you need is a trojan hidden in those cute animated programs people send by e-mail.
The security problems due to viruses and trojans in the Windows world dwarfs those due to hacking Linux boxes by an order of magnitude. On the other hand, Windows boxes also get hacked, while Linux boxes are practically immune to viruses.
So, you don’t need ha4or skills to compromise a Windows box, a script kiddie can do it with a number of tools already available on the market. But hacking a Linux box takes knowledge!
Meanwhile, are you going to come here and post a comment everytime a vulnerability has been found for Linux? Perhaps you could explain to us how a website could possibly get root access to a computer just by displaying a Web page? Oh, I forgot – that only happens on Windows. Yeah, root exploit over the web…highly secure…
“Slammer” and “Blaster”!
How long does it take, if you connect an unpatched and non-firewalled Windows machine to the Internet, before it gets compromised? About fifteen minutes.
How long will it take for a Linux machine? Well, if you’re not a prime hacking target (i.e. no sensitive data, etc.), then you’ll probably be safe for quite a while.
What you’ve failed to mention is that, in the two recent attacks on Debian and Gentoo servers, the intrusion was detected and the source code didn’t get compromised. In other words, the security system works.
Finally, if you believe Microsoft’s own PR estimate about them not being having been breached in three years, then you are terminally naive. Why would MS tell the truth about this? How can you verify if they really are?
Keep trollin’, dude!
…yet another good argument for members-only posting…oh well.
Mods, please delete this post after modding down the ones from the troll…
The Free Software Foundation has announced that they were hacked last month as well.
http://savannah.gnu.org/statement.html
So, let’s see, that makes it…
GNU
GNOME
Debian
Gentoo
FSF
Who’s next for Linux server breaches, I wonder? Meanwhile, Microsoft is hit 2500-3000 times a day. Their last breach was October of 2000. Time to give credit where credit is due.
Meanwhile, Microsoft is hit 2500-3000 times a day. Their last breach was October of 2000.
Again, how do you know for sure? Seriously, it seems all you’re trying to do here is to start a flame-war. Might I add that you’re off-topic as well: this article isn’t about Linux security.
Df, In the case of both Gentoo and Debian, the breach was detected and the data was safe. This is exactly what is supposed to happen when somebody breaks in. This is not a security flaw.
A friend of mine went down to Def Con this year and was telling me about one of the activities they had there called “Capture the Flag”. In this activity each team is given an OpenBSD setup and an objective to crack the other teams machines. The team with the most successful cracks is the winner. The reason that OpenBSD is used instead of Windows is that it is the most challenging OS to crack. OpenBSD is an OSS project (in case you aren’t aware).
Regardless of what your prefered OS is, security is not a popularity contest, and no amount of cheerleading on your part can make Windows a secure platform.
LOL, your funny
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=windows+compr…
Results 1 – 10 of about 589,000. Search took 0.17 seconds.
A few snipets:
http://www.winnetmag.com/Article/ArticleID/40646/40646.html
A vulnerability in PGPDisk for Windows can result in data compromise
http://www.winnetmag.com/Article/ArticleID/39616/39616.html
Unchecked Buffer in Windows Shell Could Enable System Compromise
http://www.tntluoma.com/opera/beyond30/2003/10/internet_explorer_ca…
Internet Explorer can compromise your system even if you do not use it
UserLinux sounds like a commercial product. It doesn’t make much sense that they would take away profit from corporations that are basing a product line around the Linux platform. On the other hand, as a commercial business, UserLinux is another distribution, and that’s okay I guess.
To the guy mentioning the “MS has no break-ins since 2000.” You do realize that MS’s whole web infrastructure is shielded behind a bunch of Linux servers at Akamai?
Ouch! That’s gotta hurt…
“Again, how do you know for sure?”
Because Microsoft described their security scheme in a webcast on Monday.
http://www.winnetmag.com/windowspaulthurrott/Article/ArticleID/4103…
“During an oddly-underpublicized security Webcast Monday, Microsoft revealed that hackers subject the company to 2500 to 3000 electronic attacks every day, or over 100,000 a month.”
Which leads me into the next hilarious reply:
“You do realize that MS’s whole web infrastructure is shielded behind a bunch of Linux servers at Akamai?”
Nope. This is an example of what Linux fanboys do. They spread a false meme until it because unverified “fact.”
Microsoft’s whole web infrastructure is not shielded by a bunch of Linux servers. When the RPC worm first hit (which was patched two months earlier, to you Debian-heads who keep saying “But the kernel exploit was patched in September!”), it was designed to DDOS WindowsUpdate. Microsoft had Akamai mirror them because they’re fast and cheap. When the trojan dwindled away without so much as a peep, they switched back to normal.
It’s hilarious watching you Linux guys spin things and squirm every time a new high-profile security breach is announced. Be sure to bash “M$” in some way in order to try to shift the discussion off of Linux security flaws. Because you take every Linux criticism personally.
Hey, steve_balmer, you do a Google search and come up with some Windows Critical Updates? Try this on for size, from http://www.linuxsecurity.com, JUST THIS WEEK alone:
12/3/2003 9:32 – Suse: GnuPG multiple vulnerabilities
Two independent errors have been found in gpg (GnuPG) packages as shipped with SUSE products: A) A format string error in the client code that does key retrieval from a (public) key server B) A cryptographic error in gpg that results in a compromise of a cryptographic keypair if ElGamal signing keys have been used for generating the key.
12/3/2003 9:28 – Fedora: Kernel crash vulnerability
The kernel shipped with Fedora Core 1 was vulnerable to a bug in the error return on a concurrent fork() with threaded exit() which could be exploited by a user level program to crash the kernel.
12/3/2003 9:25 – Slackware: Kernal buffer overflow leading to root
New kernels are available for Slackware 9.1 and -current. These have been upgraded to Linux kernel version 2.4.23, which fixes a bug in the kernel’s do_brk() function that could be exploited to gain root privileges.
12/3/2003 9:18 – Turbolinux: Kernal buffer overflow leading to root
The kernel package contains the Linux kernel (vmlinuz), the core of your Linux operating system.A flaw in bounds checking in the do_brk() function in the Linux. The local users may be able to gain root privileges.
12/2/2003 12:49 – RedHat: Net-SNMP Unauthorized access vulnerability
Updated Net-SNMP packages are available to correct a security vulnerability and other bugs.
12/1/2003 20:59 – Caldera: Bind cache poisoning vulnerability
BIND is an implementation of the Domain Name System (DNS) protocols. Successful exploitation of this vulnerability may result in a temporary denial of service.
12/1/2003 19:33 – Mandrake: Kernel buffer overflow leading to root
A vulnerability was discovered in the Linux kernel versions 2.4.22 and previous. A flaw in bounds checking in the do_brk() function can allow a local attacker to gain root privileges. This vulnerability is known to be exploitable; an exploit is in the wild at this time.
12/1/2003 19:29 – Debian: Kernel vulnerability in brk()
Recently multiple servers of the Debian project were compromised using a Debian developers account and an unknown root exploit. Forensics revealed a burneye encrypted exploit. Robert van der Meulen managed to decrypt the binary which revealed a kernel exploit. Using this bug it is possible for a userland program to trick the kernel into giving access to the full kernel address space.
12/1/2003 19:22 – Trustix: Kernel buffer overflow leading to root
This update fixes an issue related to bounds checking in the do_brk() function in the Linux kernel versions 2.4.22 and previous. This issue is known to be exploitable gaining root privileges.
12/1/2003 12:48 – RedHat: kernel Privilege escalation vulnerability
Updated kernel packages are now available that fix a security vulnerability leading to a possible privilege escalation.
11/29/2003 3:45 – SUSE: BIND Negative cache vulnerability and many others
The BIND8 code is vulnerable to a remote denial-of-service attack by poisoning the cache with authoritative negative responses that should not be accepted otherwise. To execute this attack a name-server needs to be under malicious control and the victim’s bind8 has to query this name-server.
11/29/2003 3:41 – Mandrake: GnuPG Serious key vulnerability
Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds.
11/29/2003 3:37 – FreeBSD: Bind Negative-cache DOS vulnerability
An attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS.
11/28/2003 12:30 – Trustix: bind Cache poisoning vulnerability
A vulnerability has been found in BIND that “.. allows an attacker to conduct cache poisoning attacks on vulnerable name servers by convincing the servers to retain invalid negative responses.”
11/28/2003 9:49 – Turbolinux: Multiple package updates
fileutils, fetchmail, postgresql, cups, and ethereal have been updated to address security vulnerabilities.
The Akamai servers are not mirrors. They are there to protect the main MS servers from DDOS attacks. That’s why microsoft.com runs on Linux according to netcraft.
My, you’re quite the security expert, arent’ you? Didn’t you notice that five of these security advisories were for the kernel overflow bug? That two of them were for the same GnuPG bug? That one bug was for FreeBSD, and not Linux at all?
Not to mention that bugs like the GnuPG one are not OS security issues, but application issues? By your standard, we’d have to count every security issue for every Windows application as a Windows security flaw. How about a little honesty, here?
And, about the Akamai caching system (which Microsoft dropped recently, it seems), you can’t deny that, when faced with one of the most spectacular security failures of the year, MS had to turn to Linux to save face!
Because Microsoft described their security scheme in a webcast on Monday.
Yes, and you take everything MS says at face value, of course! I mean, they would never lie or fabricate evidence or prop up fake grassroots movement to protect their business, now, would they?
Give me a break…
Personally I think well of Rayiner Hashem and he is a knowledgeable individual who will no doubt lead projects in the future. It’s tough to see him get bashed, but your point is well taken df. Yes, Linux apparently has security flaws just like MS Windows.
One of the primary reasons however that I like Linux is because my system is incredible stable and I have MS XP on a notebook and I have troubles with it, primarily the web browser. Internet Explorer crashes way to often and I hate it! On the other hand, my Linux browsers are far more stable, it’s a better experience in general. I’m not sure whether or not I want Linux to be easier to use or else maybe I want to just be smarter in general, but I think that it is a terrible mistake to place all of the control into the hands of a vendor, especially one that has produced poor quality products in the past and in addition the context of computers, the state of this technology is extremely precarious, because it is so easy to take advantage of people.
I have to stand behind Linux. I like Sun because of their leadership (Schwartz), and I guess that this time, if I had to use Linux in the enterprise I would not consider Linux as Linux, but Linux as a product under Sun or RedHat, or SUSE. We have yet to see what SUSE will roll out. I am firmly behind Linux and the user experience is very good especially in terms of security. So let the buffers overflow and let the kernel be volnerable, the fact is that I don’t get viruses and I don’t have my web browser crash, and for me that’s what is most apparent.
So Microsoft gets pounded 2500 – 3000 times a day, well how many other computers running Win98 – XP get pounded every day? When I use my Windows XP machine, I get 30 – 40 emails a day with virus attachements and several hundred probes seeing if I am unsecured Windows machine. Multiply my experience with 90 percent of the computer users in the world. Now compare that to the security breaches in OSS software. The funny thing is that Microsoft’s site is probably getting pounded by zombied Windows machines.
Microsoft has created a whole money making market in the protection of PCs running Windows software.
To protect my Linux box, I need a firewall and make sure my software is up to date.
To protect my windows machine, I need a firewall, antivirus software, make sure my Windows software is up to date, and make sure no body opens attachments. Security up dates on thrid party software is sketchy.
“My, you’re quite the security expert, arent’ you? Didn’t you notice that five of these security advisories were for the kernel overflow bug? That two of them were for the same GnuPG bug? That one bug was for FreeBSD, and not Linux at all?”
Heck, that’s just for this week. Click the archive at LinuxSecurity.com and check out last week’s, or a whole month’s. Try checking out single distributions. Distros routinely have 7-10 vulnerabilities announced a month. Compared to what, the 1 or 2 for Windows?
“Not to mention that bugs like the GnuPG one are not OS security issues, but application issues?”
They’re distribution issues. If it’s not a problem with Linux, it’s still a problem with that OSS application. You can try to dismiss all criticism by arbitrarily limiting Linux references to the kernel only, but it just makes you look dishonest.
“And, about the Akamai caching system (which Microsoft dropped recently, it seems)”
They dropped it right after the trojan passed and died.
“you can’t deny that, when faced with one of the most spectacular security failures of the year, MS had to turn to Linux to save face!”
It wasn’t very spectacular considering it was patched two months earlier, and the government warned twice. MS didn’t “turn to Linux.” They turned to Akamai, the best-known caching company. It wouldn’t have mattered if Akamai used FreeBSD, Linux, or Windows Server 2003. Microsoft wanted a company with vast amounts of caching networks.
Be sure to spin everything against Microsoft, of course, because you refuse to admit that:
GNU
GNOME
Debian
Gentoo
FSF
Have all been hacked this year. Any more to add to the list for 2003? OSS is taking a beating with negative press, and now all these hacks.
Face it, Linux is not invincible. Far from it. Microsoft hasn’t been hacked since October of 2000. Heck, the Linux kernel itself had a buffer overflow exploit. What was all that about security through “many eyes?”
Distros routinely have 7-10 vulnerabilities announced a month. Compared to what, the 1 or 2 for Windows?
Those vulnerabilities cover an entire distro. That includes web servers, mail servers, applications, office suites, and a multitude of other software items. In contrast, the Windows vulnerability concern the OS. So, in fact, when you consider all the software covered by the security announcements in Linux (believe me, I follow security advisories closely), there are proportionately a lot fewer for Linux. As I’ve said before, to do an honest comparison (which obviously isn’t what you’re interested in), you’d have to compare against security advisories for an equivalent number of Windows apps.
This isn’t the first time I’ve said this, so I figure that you can’t counter this. Instead you repeat the official party line like a good MS soldier…Never mind the devastating effects of Slammer and Blaster. Never mind the reports by the U.S. Army about MS’s dismal security record. Never mind that, when only considering OS security advisories (and not whole distros, like you so dishonestly do), there are more security issues with Windows than Linux. Never mind that a web site can gain root access to your machine with IE, or an e-mail with OE. Never mind that Windows has about two thousand times more viruses than Linux, despite have 40 times the market share (so it is proportionately 50 times more vulnerable to viruses – and unlike in Linux, they can take over your system and hand it over to script kiddies on a platter).
Yeah, keep trolling the board with your off-topic posts. I’ll keep my secure OS, thank you very much.
This isn’t the first time I’ve said this, so I figure that you can’t counter this. Instead you repeat the official party line like a good MS soldier…Never mind the devastating effects of Slammer and Blaster.
Ahhh, so let me get this straight. Windows has like 90% of the market… OSX got another 5%… random OSes got about 2% more and Linux got that last third of the market.
So if I get this straight… Blaster can hit 90% of the market… assume Linux with it’s current rapsheet would get that very marketshare… that would mean first of all, more people spending time writing viruses for it. So what would that mean? 1 blaster/day???
Can’t you see that differentiation is the only safe way to go, not zealotry.
First, Market share is probably more like 91% Windows, 3% Mac, 3% Linux, 3% various. But it’s impossible to know for sure. Only one thing is certain: there are more Linux installs than officially reported (because it’s freely redistributable – for example, I bought a boxed set for Mandrake 9.2 but I installed it on three computers).
Now, even if virus writers spent more time writing viruses for Linux, that wouldn’t mean that they would have the same overall impact, as the two OSes are built differently. Unless you ran the virus as root, it wouldn’t be able to destroy or take over your system.
Finally, you seem to be under the impression that I want Linux to have Windows’ market share. Nothing could be further from the truth. As I’ve indicated many times in these comments sections, I’m for OS diversity. I’d be happy with a 25% share for Linux and another 25% share for Windows, etc. Stop assuming that every Linux advocate is a zealot – I know it’s the new tactic for anti-Linux advocates, otherwise known as “demonizing the enemy” (a classic propaganda trick), but it’s already getting old.
Right now, defending OS diversity (and therefore increasing computer security as a whole) means challenging MS’s quasi-monopoly. In some cases, it’s even a matter of national security:
http://newsvac.newsforge.com/article.pl?sid=03/11/30/0028221&mode=n…