root vs. user

You’ve no doubt heard the rumors that Linux (or Mac OS) doesn’t get viruses.  You’ve probably come across the rumor that Linux is more secure because of the way it’s built.

Those rumors are true, for the most part.  But, specifically why are they true?

One of the biggest reasons Linux doesn’t get viruses is because of the way user accounts are set up.  When you create an account in almost any Linux distro, you’re created a user account, which has limited privilages.  It is the root user that can alter the Operating Systems guts.

In a server environment (an office or school), the only person who has access to the root account is the System Administrator.  In a Home environment, since you personally installed the Linux OS onto your computer, you get to choose a password for accessing the root account, but the default is still the user account.

So, as a user, you have basic privilages, and you have access to only certain files in the Operating system.  The privilages of a user account are almost always sufficient for the average computer user.  The root account allows access to all files, including the important files that the OS uses, and you can perform certain functions like partitioning hard disks, installing software, or adjusting firewall settings.

This seperation of privilages makes Linux a tough environment for viruses to reproduce in, given that the default user account’s file access privilages are limited to non-critical files.  Attacking the root account is extremely difficult, particularly if you have a good password, and a little bit of encryption; a firewall like SELinux also helps to identify “illegal” tasks, like when an application tries to run in root without telling the user.

“But open-source code is more insecure because all the source is free for the virus makers to exploit!”

If you haven’t heard that argument, I’d be surprised.  Well, let’s set the record straight.

The argument that open-source is less secure because it’s open, is self-defeating.  In fact, open source is more secure, because it’s open.  How can you hide a virus inside an application if all the code is open for anyone to see?  Because it’s open source, a virus would be spotted before the app is even close to public release, and when it is released, thousands upon thousands of developers will examine the code before deploying the app for their own purposes.

The root account/user account separation, along with the open-source nature of Linux is what makes it virus free.  That’s not saying a virus can’t happen, but Linux is part of an ecosystem that is extremely unfriendly to a virus.

Some might add that another reason Linux is virus free is because of it’s small market share, but I really don’t think that has anything to do with.  Linux could have 100% market share, and as long as every part of the OS is open-source, viruses will not get far.

open-source software development is like cooking.  Let me explain.

Let’s imagine for a moment that you want to make an apple pie from scratch.  You’ll need a recipe for the pie, that’s certainly easy to find, there are tons of pie recipes in one of the many cook books you own.  Just find the apple pie recipe you like the most and set it on the counter.

Next you’ll need the dishes and utensils to manage all the ingredients you’ll have.  You probably have a nice size bowl, and rolling pin, a wooden spoon, and a pie pan, but if not, I bet your neighbor has some, or your friend down the road.  If not, then you can go to the store and buy the dishes and utensils.

Okay, now your ready to gather all the ingredients, which, if you don’t have yourself, you could borrow from a neighbor or friend, or buy them from the convenience store.  Now comes the fun part, mixing all your ingredients together.  Your following the recipe when, about halfway through the process, you decide to vary the recipe a bit.  You put an extra block of butter in, a little more sugar then it calls for, and you mix some ground cinnamon into the dough.  Why not right?

After forming something out of nothing, you stick it in your oven, set the timer, and wait.  Images of gooey apple filling, and crisp, buttery, cinnamon crust float around in your head.  You can smell the sweet concoction of cinnamon and apple in the air as it bakes into perfection.

When it’s done, you invite some friends over to share the pie, your excited when you tell them how you made it and you give them each a copy of your new recipe, which you derived from some strangers recipe.  Your friends enjoy the pie and many of them want to make it for themselves, and some of them even said they would try vanilla instead of cinnamon in the crust.

You made this pie from scratch, you know exactly what its made from, so you know its perfectly safe to eat, and you know it tastes better than those store bought pies, and you like to think you improved upon the recipe you worked from.

developing software is the same way, and when you’re working with open-source tools or deriving your work from another open-source project, you can look at the source so that you know exactly what your working with, and just like making an apple pie, there is nothing stopping you from changing it up a bit (or completely).  All the tools you need are there, for free, and when you finish the project, you are free to do with it anything you want.

Let’s say I want to download the source code for Ubuntu Linux.  I could either go to archive.ubuntu.com and find what I need, or download the source from Synaptic or the terminal.  It’s all there, I can customize it ’till my heart’s content.

This simile is the same when it comes to using open-source software.  The cleanest and safest (though not the easiest) way to install an application is to compile it from the source code.  Just download all the source (its usually packaged nicely in a .tar archive), and run a few commands from the terminal.  Installing it this way, you can specify where to put the installation files, so that you know where all components of the program are, plus you have all the source code in a nice archive.  You made this pie from scratch, you know exactly what its made from, so you know its perfectly safe to eat.

Full Story

The Genivi Alliance is making progress on the development of a middleware platform for In-Vehicle Infotainment (IVI) systems (GPS, iPOD connectivity, bluetooth recivers, satellite tv/radio setups, etc…).

It’s based on Wind River Linux, and the Intel Atom processor, and the middleware stack is due out this summer.

Forge.mil, based on Sourceforge code is designed simply to memic the functionality of Sourceforge, with some security enhancments to better suite the needs of the Department of Defense. The Defense department have been leaning toward open-source software for a while now, and this latest project is yet another indication that they are serious when they suggest that open-source is a business model that “works for everyone”.

Forge.mil currently hosts 3 projects, one called Bastille, which is designed to automate server configuration, another handles requests for proposals development, and another project is designed to automate the “secure configuration of Solaris systems” (Solaris is an open-source operating system by Sun Microsystems).

Full Story

Full Story

Open source advocate and co-founder of Sun Microsystems, Scott McNealy, has apparently been asked to prepare a paper on the subject of open source software for the new administration.

From McNealy:

“It’s intuitively obvious open source is more cost effective and productive than proprietary software…[t]he government ought to mandate open source products based on open source reference implementations to improve security, get higher quality software, lower costs, higher reliability - all the benefits that come with open software.”

If the Obama administration is considering a move toward using open source software across all departments of government, that would serve as a paradigm for open government, which the president has called for on several occasions.  Exciting news this is.

Full Story

Judge Doug Henderson ruled two years ago that any Intoxilyzer 5000 tests were not admissable evidence in trial.  Prosecutors unsucessfully appealed the ruling, and are faced with a decision to trial without the evidence, or reduce the DUI charges.

3 years ago, the Defense attorneys, representing 7 defendants, challenged the machines used in the breathalyzer tests, and wanted the manufacturer to release the Source code for study.  That manufacturer is Kentucky based CMI Inc., and they refused to show the source code to the State of Florida, calling it a trade secret.

The Judges presiding over the case determined that the refusal to release the source code of the Intoxilyzer 5000, constituted a violation of due process, and so the evidence was removed from the trial.

CMI faces over $2 Million in fines because of their refusal to release the source code.

From Mark Lipinski, who represents the seven defendants:

““What this really means is that outside corporations cannot sell equipment to the state of Florida and expect to hide the workings of their machine by saying they are trade secret,” he added. “It means the state has to give full disclosure concerning important and critical aspects of the case.”

a minor victory for open-source software.