[dot] Nils Magnus (of LinuxTag) on Security and aKademy

Dot Stories stories at kdenews.org
Fri Aug 6 08:11:18 CEST 2004 

URL: http://dot.kde.org/1091772577/

From: aKademy Team <akademy-team at kde.org>
Dept: batten-down-the-hatches
Date: Friday 06/Aug/2004, @08:09

Nils Magnus (of LinuxTag) on Security and aKademy
=================================================

   As part of a series of articles previewing KDE's World Summit, 
aKademy [http://conference2004.kde.org/] (running from August 21st to
29th), Michael  Renner and Tom Chance interviewed Nils Magnus of
LinuxTag about security on the desktop. He is  due to deliver a tutorial
on security on the KDE desktop
[http://conference2004.kde.org/tut-securitydesktop.php] with Kester
Habermann, one of 15 that run in parallel with  the coding marathon.
Read on for their thoughts on Linux and Windows security, software
patents  and more.

     Q: Is Linux actually more secure then Windows or is it just less
common?

     Nils: Well, Linux is in fact still not as common as Windows at the
moment. But it would be fatal to trust that fact when you think about
security. We know that  all software has problems. Even with Linux we
had occasional incidences in the past.  An example for this is the
slapper worm that attacked the Apache web server.

     However, the major difference to Windows and all other proprietary
software is that security problems, due the free availability of the
source code, are easier to  find and to fix.

     In the expert's view, the kinds of current Windows vulnerabilities
are  technologically similar to those that we had in Linux and other
free Operating Systems back in the 1990s, e.g. buffer overflows and
Off-By-Ones.  Such errors have since declined in Linux.

     As soon as a vulnerability is known, the reaction time is in the
range of a few hours for open source software. For proprietary software
it often takes 30 days or more; manufacturers call this a short response
period.

     Finally, due to its architecture, Linux is free of one plague:
There are no Linux  viruses! Sophos, the anti virus manufacturer, lists
just two linux viruses,  but these have only been of academic interest
and are rare 'in the wild'.  After all, the well-engineered system
design is based on the experiences of 35 years of UNIX development.

     Q: Is physical access to a computer insecure in general?

     Nils: Yes, this is generally correct. If the attacker has physical
access, the system administrator has a hard job to make the system
secure. This is the reason why server systems are typically operated in
secured data centers.

     With desktop system, the focal point of  our tutorial at aKademy
[http://conference2004.kde.org/tut-securitydesktop.php], there are some
different rules. The subset of people with  physical access to a system
won't have such criminal intentions like an unknown attacker.  An
encrypted hard disk, restricted user rights, removable media like USB
sticks or critical  data at a fileserver help a lot.

     And of course we should consider the 'Trusted Computing' issue. It
was originally concerned with this problem, whereas lately is has been
abusively confused with 'Digital Rights Management (DRM)'.

     Q: How good must security be, or is absolute security needed?

     Nils: There is no absolute security per se with computer systems.
The administrator's task is to define  and reach a level of appropriate
security. We often hear 'there is no critical data  on my computer'. But
is this true? Information technology is increasingly becoming a part of
many areas of our life . We won't notice this in any case. Do we access
our e-bank  account from the same computer? How would the employer react
if in the private web cache  several situations offered are found? And
does the music and advertising industry  have insight to every private
preference?

     Fortunately, a modern operating system like Linux has protective
mechanisms that can be activated and administrated easily with KDE. How
to disclose and fix harassment will be discussed in detail in the
tutorial.

     Q: What effects do you expect from software patents?

     Nils: So-called software patents are a dangerous threat for the
small and medium enterprises  in Europe, because they have to spend
considerable amounts of time and money in the check-up for existing
patents and the defense of such demands. For that reason experts and
concerned citizens are critical of so-called software patents. Seventy 
five percent of the Linux Tag 2004 visitors said they are against
software  patents, whilst less than 0.4% favored them.

     Q: What hardware and software do you work with?

     Nils: I work with a Linux system that was set-up from an installed
Knoppix with some adjustments for a more secure operation. I travel a
lot, so I use computers in environments where I can not be sure about
their integrity (e.g. my notebook). Important data is stored on a
central, well-secured place that I can reach via an encrypted Internet
connection. So any computer with a network connection is sufficient for
me, because I always have a Knoppix DVD or a memory stick with me.

     Q: Is there something else that you want to say to our readers?

     Nils: Safety is a fascinating topic with many aspects. In our
totorial we want to show how you can help yourself to find your own
point of view. We will have lots of practical exercises and
demonstrations, so the theory will be  transferred directly into
practice.

     Q: Thank you for your answers and your time

     Nils: No problem.

More information about the dot-stories mailing list