GNU/Linux Desktop Survival Guide
by Graham Williams |
|||||
Security Through Transparency |
The issue of security is crucial and will continue to grow as an important concern for users. Truly independent research finds that GNU/Linux has fewer flaws than proprietary software. A four year project that completed in 2004 identified 985 bugs in nearly 6 million lines of code in GNU/Linux (Kernel 2.6) while proprietary software is thought to have between 5,000 and 40,000 bugs in similar sized code (but of course, is also not open to such scrutiny by just any one). CNET report on the research in Security research suggests Linux has fewer flaws, published 13 December 2004. Also, 50% of the Windows vulnerabilities are ranked as critical whilst only 20% of the vulnerabilities in GNU/Linux have been found to be critical. 91% of broadband users running MSWindows have spyware on their systems, compared to almost 0% (less than 0.1%) on GNU/Linux.
An article in the 27 August 2001 issue of Interactive Week by Rob Fixmer recalls a 1998 interview with then Symantec CEO Gordon Eubanks:
Everybody can see what's under the hood, so we're on equal footing with hackers. With proprietary systems intruders often have illegal means of learning things about the underlying code that are superior to the legal information at our disposal—even though we get excellent cooperation and support from Microsoft.
Gartner Group's John Pescatore on 19 September 2001 had the following to say in an advisory from the Gartner web site2.1(emphasis is mine):
Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache. Although these Web servers have required some security patches, they have much better security records than IIS and are not under active attack by the vast number of virus and worm writers. Gartner remains concerned that viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS. Sufficient operational testing should follow to ensure that the initial wave of security vulnerabilities every software product experiences has been uncovered and fixed. This move should include any Microsoft .NET Web services, which requires the use of IIS. Gartner believes that this rewriting will not occur before year-end 2002 (0.8 probability)
Any one can scan the GNU/Linux code for vulnerabilities (and for inefficiencies and bugs) and as they are discovered the solutions quickly become available for all to access. Of course, the unscrupulous can also scan the code for opportunities to attack a system, unlike proprietary code where only a few have access to the source code. But would you prefer security by obscurity or security by peer review? It is a choice!