Re: Qns on linux security frm windows users :::Help !!!




Arvin wrote:
hi,

I've been using linux for a long time and have been trying to *popularize*
it. But can anyone help me with some qns which windows users asked me...???


Honestly, these questions make you sound like a troll, but I'll bite
anyhow, and give you my own take on these questions.

1. Since the source is open, cant people introduce trojans and spywares in
the main source code itself, taking away our personal info ? (i'm not saying
windows doesnt have such codes)


Okay, some programmer somewhere writes a nifty little program. Doesn't
really matter what it does, let's just call it Foo Deluxe. He writes
it as an Open Source project under the GPL. Anybody can see the source
code for it. He's still the only one who can publish source code in
his repositories, but anybody can look at it. One day, the programmer
decides to turn to the dark side and make his program steal personal
information. The next day, a bunch of people see the new changes to
the source code, and warn everybody not to use the program anymore.
Somebody forks the project from the last non-evil version and everybody
continues using the safe version, which gets packaged in all the
distributions. Maybe somebody also writes a completely brand new
replacement which is fully compatible, because they can see implicit
documentation for all the file formats used.

Just because the source code is available doesn't mean that they let
just anybody have write permissions to the official source code
repositories. If you are getting your versions of Open Source software
from some disreputable third party, then they could mess with the
software as easily as a disreputable distributor of closed source
software.

The alternate case is that some programmer makes Bar Deluxe as a closed
source program, distributing only binaries. (The way most Windows
applications are developed.) It becomes popular, just like Foo Deluxe,
and this programmer also decides to turn evil. He makes it steal all
sorts of personal information. People continue using it, because
nobody can see all the source. Six months later, somebody discovers
the security problem. Because there is no way the fork the closed
source program, people continue using the evil version Bar Deluxe until
somebody writes a completely new replacement from scratch. The
replacement is only partly successful because Bar Deluxe used some
proprietary file format that hasn't yet been reverse engineered and
users don't want to lose their old data. A year after the discovery of
the privacy problems, half of the users are still stuck using the evil
Bar Deluxe.

2. Is ther any other feature which protects itself frm viruses other than
the denial of the execution permission ? (not talking about 3rd party
antiviruses)


Just good design. Viruses are almost never an issue on modern *nix
platforms. If a bug is found that would allow some potential security
vulnerability, it can get fixed very very quickly. Because users
generally never run with full administrative priveliges, any bad
software a user might run on a *nix machine generally can't do any
serious damage to the machine. Yes, it could delete some of the user's
files, but there is no way to prevent the user from running an
untrusted program that deletes their own files.

3. Since the *making* of the linux apps involves the open source community
as a whole, how can they follow a good well defined process to generate a
*good* code ? which can lead to security holes and other problems ?

Thanks in advance....

Ummm? This doesn't make any sense at all. How can a factory which has
wide open windows follow good safety practices while making widgets?
Wouldn't a factory with no windows so that nobody can look in and see
how things are done be safer? That's obviously wrong. A factory is
much more likely to follow good safety practices if anybody walking by
can see what they are doing.

Likewise, a closed source software project is likely to have sloppy
standards and practices, because nobody will ever know. Open source
software *needs* really well defined standards for how to do things
because if they didn't, nothing would ever get accomplished.

Look at it this way... From time to time, a software company will
announce that they are going to open source an existing software
project. The first announcement is very seldom "here is the code."
The first announcement is usually "we will be cleaning up the code for
the next six months, and then we will let you all look at it." That's
because Open Source has such high standards that most companies would
be embarrassed if anybody actually saw their proprietary code.
Seriously. I've been on both sides of closed / open source
development. In a closed source situation, it doesn't matter how ugly
something is because the customer will never know why it works so
poorly. You can just blame some incompatible hardware or something if
it doesn't work right on their system.

And, even if we assume that all open source code starts out really bad.
(Which is a stupid thing to assume, but we can do it for the sake of
argument.) Well, then anybody can see the code. So, anybody can
submit a patch to clean it up. The maintainers would have to *actively
want* the code to be bad if they turn down all the patches to clean it
up. And, even if that did hapen (which it almost certainly wouldn't),
the people who want to submit patches to clean up the quality of the
code can just make their own little fork of the project, and everybody
will start to use the cleaned up fork instead of the original. So,
even if we assume all sorts of bad but really unlikely things, the open
source process will still result in the code being cleaned up.

.