Commentary: More on Linux

— -- I now find myself in the tremendously unenviable and essentially hopeless position of explaining, in writing, what I have written — to an audience, it bears noting, that does not seem to read, understand, or otherwise know how to employ the English language.

This audience is known to itself as the “Linux community.” I think of them in far less complimentary terms.

Weaker Than the State of the Art

Two weeks ago, I had the temerity to suggest that Linux is overrated. Citing statistics posted on BugTraq, SecurityFocus.com’s computer security mailing list which tracks vulnerabilities in operating systems,and relying on the testimony of security experts, I wrote that Linux systems are weaker than the state of the art in operating systems. I also noted that the number of its reported vulnerabilities, when measured against its market share, was, in essence, higher than the number of Windows NT reported vulnerabilities when measured against its market share.

Or, as Marcus Ranum, CTO of Network Flight Recorder (NFR), a maker of intrusion detection products, and installer and first manager of the whitehouse.gov Web site, puts it: “Linux’s focus isn’t security. It’s features and performance. There are loads of security flaws found in Linux, just as there are in NT; it’s just less of a big deal because the size of the Linux user base is small compared to the NT user base, and the NT user base tends to be less technically sophisticated than the Linux user base and therefore is hit harder by security flaws when they are uncovered.”

I was of course bombarded with quasi-decipherable outrage, orchestrated by the community at slashdot.org — a Linux self-congratulation Web site. A typical example: “Maybe if you actually delt with this [expletive] on a day to day baises you would make educated and well informed articals.”

Distilling the Message

Now the basic, distilled-to-one-line message of my column was this: If Linux had to stand up to the amount of use and abuse Windows NT did, it would not be up to the task. This is not because NT is inherently a “better” operating system than Linux. There is no real way to objectively measure the relative worth of operating systems, since they are such complicated beasts, are measured by so many different metrics, and are designed with different uses and programmer values in mind. But it is to say that NT is a more proven performer over a broader array of landscapes, tasks, scenarios, and markets. The salient point in that column was not that NT is flawless and Linux is flawed; it was that both are flawed, and that Linux is far more flawed than its promoters are willing to admit.

This is partly because Linux, in comparison with NT, is relatively untested; and it is partly because Linux is an open source system — that is, anyone can get into its source code and make changes. While this is trumpeted as a great strength of Linux’s, it actually is a weakness because there is little quality control over bug fixes supplied by a volunteer work force of people, judging from the postings I get to columns like this one, who are not great thinkers. As one security expert I know puts it, “People who write code for Linux are predominantly accountable only to their egos, whereas people who are paid for their time are also accountable to their stomachs. You decide who is going to write better code.”

Linux Not Quite Up to Snuff

This concern for accountability apparently is shared by the federal government. Federal Computer Week (fcw.com) reported on August 2 that Linux “fails to meet Common Criteria (CC) requirements — an international agreement and protocol regarding security criteria,” and thus is ineligible for deployment in federal-government systems. NT, it bears pointing out, does meet the requirements.

“I used to be a big Linux advocate years ago,” my source continues, “but once I started playing with a more robust and secure operating system I ditched it. It doesn’t make sense to cling onto the plague-ridden.” Mindful of the reaction in Linuxland to this sort of statement, he also added, “I happen to make money fixing Linux security issues, and if my name was associated with this stuff, I would be significantly encumbered in this respect. Anonymity is key, and I’ll have to demand it.”

Fully mindful of the intolerance that reigns among the Linuxed, I had to grant it.There is no one among the security-obsessed all that excited about either NT or Linux. After reading postings about my previous column, Matt Sommer, Senior Security Engineer at Internap, wrote, “It appears that the whole point of security as a software engineering goal is being missed in this dialog; it isn’t a case of Linux or NT being better, it’s a case of what is the best tool for the particular job. In regards to anything security-related, it is fairly clear that neither of those options provide alternatives worthy of trust, and that users can and should expect much, much more.”

NetBSD, OpenBSD Rated Above Linux

Most of those expecting “much, much more” settle on some flavor of BSD, a UNIX-based operating system. “One of the BSD variants — OpenBSD (www.openBSD.org) — was constituted with security as its premise,” says Marcus Ranum. “They did some really interesting stuff; they did complete code audits of major hunks of the operating system and found huge, horrible, gigantic holes that all the other UNIX derivatives had been ignoring. They subsequently got fixed, but it was a huge reality check for the community. I’m sure that a similar audit of Linux or NT, if it were to happen, would be equally interesting.”

I came across two more items of interest while taking refuge from the pummeling of the last two weeks. One was a slide presentation by Thomas Graichen entitled “Performance Comparison and Tuning of Free Operating Systems.” (See Web Links in side column.) The closest thing I have found to a thorough, objective comparison of operating-system performance and security, it ranks NetBSD and OpenBSD significantly higher than Linux 2.2, the latest Linux version available.

The other was the 2000/07/31-2000/08/06 “Weekly Linux Security Digest” (See Web Links in side column.), published by SecurityPortal and written by Kurt Seifried. “A busy week,” begins Seifried, who goes on to note that “several [Linux] programs were found to contain security problems, some of them very nasty.” The list that follows is 10 pages long, and preceded by this rather more realistic view of open-source operating systems than that held by the Linux zealots: “I still feel that vendors should not rely on the good will of third parties to distribute fixes. Reliability aside, there are trust issues to be considered.”

Fred Moody is the author of I Sing the Body Electronic: A Year with Microsoft on the Multimedia Frontier and of The Visionary Position: The Inside Story of the Digital Dreamers Who Made Virtual Reality a Reality. His column appears on alternate Wednesdays.