[linux-elitists] Can this person be helped?

Karsten M. Self kmself@ix.netcom.com
Wed Feb 15 01:20:27 PST 2006


on Wed, Feb 08, 2006 at 02:38:29PM -0500, Tom Clark (tclark@requisitesystems.com) wrote:
> On a LUG mailing list to which I subscribe, I enjoy the regular postings
> of another subscriber who works primarily with Windows.  She seems to
> make a point of posting a message whenever she encounters a non-Windows
> system that has a security issue.  While I'm sure she means well, the
> messages seem to have a "You Linux geeks think you're all that, but
> you're not!" tone.  She never seems to post about problems with Windows
> systems, but then again, how could she find the time?

It's a fair point that GNU/Linux has its security vulnerabilities.  Some
of these affect the kernel directly, but the vast majority are systems
software and/or configurations settings, many of which are not specific
to any one distro or even GNU/Linux itself.
 
> This is really just a minor annoyance, but I am struck by the failure of
> this person to get Linux.  Her point of view has been so strongly shaped
> by Windows use that she just can't seem to understand anything else.  Is
> there a way to reach people like this, or must we just write them off as
> computing's lost generation?  Is there a twelve step program?

One approach I've found is somewhat useful is to answer the specific
vulnerability claim.  I've found that this often helps both you and the
'Dozer in question get a clearer picture of GNU/Linux's actual
vulnerability status.

I've found that such responses often fall into the categories of:

  - That affects another distro, not mine.
  - That affects another kernel, not mine.
  - That affects another HW architecture, not mine.
  - That affects software I don't have installed.
  - That affects a package I've already updated.
  - (OpenBSD users only) Yeah, that was preemptively avoided due to a
    coding audit three years ago.

... and occasionally:

  - Thanks, I've just updated that package, I should be OK now.


Note the other usuals:

  - GNU/Linux distributions are generally considered as including far
    more software than many other operating systems.  Over 6,000
    packages in distributions such as Red Hat or SuSE, in excess of
    17,000 for Debian.  This compares to a few thousand files *total* in
    a virgin legacy MS Windows 2000 or XP installation.   This is
    despite the fact that most installations are only a small subset of
    the available packages, and in fact many packages (e.g.:  multiple
    SMTP or HTTPD servers) conflict and can't normally be installed
    simultaneously.

  - Disclosure of vulnerabilities tends toward the early, often, and
    slight variety in Free Software, a policy often referred to as "full
    disclosure".  Potential and/or theoretical vulnerabilities are
    disclosed (regardless of buffer overflows), and vulnerabilities are
    generally disaggregated:  mentioned on a per-package, per-distro,
    per-hardware platform, per-version basis, such that a single source
    vulnerability will be reported multiple times.  This is very much
    the case, e.g.:  with the recent reports of CERT "Unix/Linux" vs. MS
    Windows vulnerabilities.  GNU/Linux vulnerabilities also (by virtue
    of the inclusiveness of distros as noted above) tend to cover a very
    large array of software.  
    
  - By contrast, Windows vulnerability disclosures tend:
    
    - To be rolled up into aggregated announcements addressing several
      applications, operating system releases, and/or environments.

    - To be delayed until a fix, or at the very least, a workaround, is
      available.  Microsoft have very notably criticised several third
      party security analysts for making "premature" disclosure.

    - To be limited to only the small set of applications actually
      associated directly with the operating system distribution.  While
      this now includes such tied applications as the MSIE
      remote-access-and-vulnerabilities engine, third-party vendor
      software alerts must be separately researched.  My GNU/Linux
      systems include comprehensive bugreporting, security alerts, and
      comprehensive system updates (no reboots required).  Legacy MS
      Windows ain't there yet.

Of course, it's interesting to note what your own 


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Malpractice makes malperfect.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20060215/d607dc3e/attachment.pgp 


More information about the linux-elitists mailing list