.comment: A Golden Opportunity - page 3
Where Do You Want Your Data to GoToday?
Meanwhile, the people who put together commercial Linux distributions (who I believe probably give their credit-card numbers over the Internet) continue to take the security that Linux already offers and by default destroy it. Because they have no idea whatsoever who their customers are, or maybe want to sell consultancy such that in exchange for money their stupidities can be corrected, they ship products that are wide open.
I run Caldera eDesktop 2.4. I do so because I think it is by far the most stable distribution, the one most easily modified without having to learn a lot of distribution-specific things. Caldera has in my estimation produced the most Linux of the commercial distributions. (I say "commercial" because I'm deliberately excepting Debian.) Distributions have attitudes, and Caldera's is mellow.
Yet Caldera, like Red Hat and the others, is an out-of-the-box security nightmare. It's not so much an installation as it is a frigging open house. Every imaginable daemon is up and running on boot. I spent a hilarious evening on the phone with my friend and guru, the estimable Bob Bernstein, doing nothing but shutting down--everything. There was nothing, or just about nothing, that needed to be running. I did this when I switched from dialup to cable modem and wanted to be the only guy making those LEDs blink. Even so, I awakened one night to see the lights blinking and strange pictures on my screen. XScreenSavers had gone trolling on the web, gathering stuff for my screen.
There is a golden opportunity here, yes indeed. There is the opportunity for Linux to become, by definition, the operating systen for people who are serious about security--and seriousness about security is now a selling point, but soon it will be a bottom line minimum. Yet the community, from distributors (and I'm sorry for picking on you, Caldera, because the others are every bit as bad) to application developers--c'mon, Jamie, you know better--have acted as if the Microsoft standard, no standard at all, according to the CSIS, is all that matters.
It's time for a security exploit. It's time for Linux distributors and application developers to exploit the security we already have. The distributors need to understand that nothing--nothing, dammit--should be started by default. Apache is great, but you have a lot of customers who are not running websites, and even fewer who ought to be. Don't assume that everybody who buys your CD and (generally miserable) book wants to make the machine an ftp server. Make those things available, sure. If I make bold to suggest, even document what those daemons are, what they're good for, when you might want to use them, and how to do so.
But make security your selling point. There is a load of sales material available to you, involving all of the documented attacks and the potential ones. You'll inconvenience no one.
I have no idea why the Linux community seems intent on failing to accentuate its strengths while chasing the weaknesses of what it sees as its competetor.
We need to recognize that Linux is as good as it is.