News from The Globe and Mail
Linux whimsy belies solid security
Tuesday, March 25, 2003
The paunchy penguin that serves as a mascot for Linux is cute and cuddly but it doesn't necessarily project a solid corporate image of reliability and strength.
And the whimsical mascot -- adopted by aficionados because Linux creator Linus Torvalds likes penguins -- also seems to symbolize its haphazard evolution.
An operating system that provides a software platform for running all kinds of computer systems, Linux was created as an alternative to commercial software by Mr. Torvalds, a Finnish programmer, with the help of computer experts from all over the world.
But this freely available operating system that has evolved in the geeky Internet culture of hackers and computer programming enthusiasts may prove to be more secure and robust than many pieces of commercial software designed specifically for the corporate world, according to Chris Pratt, Linux manager for Markham, Ont.,-based IBM Canada Ltd.
This is because Linux, unlike other operating systems that keep their proprietary software code under wraps, makes its code available for all to see and test for potential security flaws, says Mr. Pratt, whose company is one of many vendors now promoting Linux as a solid business platform.
"It's a Darwinian approach. The strongest code survives. It is highly open to those trying to protect it and those trying to attack it. This enormous level of peer scrutiny means that the code that's put out is of extremely high quality."
Mr. Pratt illustrates this point by comparing the security of the software platform to the physical security of an office.
Imagine someone is trying to break into your office and you have to barricade yourself in, he suggests. You can block the doors and the windows, but you probably don't know if there is a hidden trapdoor or a false wall that attackers can break through.
Then imagine what would happen, if the blueprints for your office were published on the Internet, available for all to see. In this situation, Mr. Pratt observes, the attackers would know your vulnerabilities, but you would also be aware of them and could defend yourself.
"That's what makes Linux more secure. If you have proprietary code, you don't know what's in there and don't know what other people know," he says.
John Heiman, director of product management for security products at Redwood Shores, Calif.-based Oracle Corp., another company that is promoting Linux as a business platform, says the openness of Linux means that "you have some confidence that at least its been reviewed and the people who are capable of breaking into it have done their worst."
The world's most popular operating system, Microsoft Windows, is the target of 85 to 90 per cent of computer viruses, according to Jack Sebbag, vice-president and general manager, Canada region for Network Associates, Inc. of Santa Clara Calif., vendors of the McAfee anti-virus software.
But, Mr. Sebbag adds, that may be just because Windows is so ubiquitous. "Hackers and malicious code writers are going for widely accepted operating systems that are standard in the marketplace. I'm sure some of these other operating systems have similar vulnerabilities that haven't been exploited yet."
The way that Linux is constructed also gives it an advantage over proprietary software in terms of security, according to Mr. Pratt. Proprietary operating systems generally bundle together a large number of functions in a single package, whereas Linux consists of a basic kernel onto which each user can choose to bolt on only the functions that he needs.
The result is an infrastructure that is specifically tailored to the job at hand and contains no unrelated elements that could create completely unnecessary problems, says Mr. Pratt, noting that the average user of commercial software is frequently called upon to install updates and fixes for functions that he never uses and may not even know he has.
For these reasons, many security agencies and governments around the world have chosen Linux and a growing number of businesses are doing the same, according to Mr. Pratt. He says a survey of IBM's 500 most recent Linux customers showed that 64 per cent of them cited security as a key reason for adopting the open operating system.
Responding to this trend, Microsoft Corp. of Redmond, Wash., has moved to make its proprietary software code available to accredited governments under its new government security program, announced earlier this year. The program lets agencies review the code and add their own encryption technologies to it.
The covert nature of Microsoft's code makes it a risk for human-rights organizations that need to protect information from the prying eyes of security agencies in dictatorial regimes, according to Patrick Ball, deputy director of the science and human rights program of the American Association for the Advancement of Science. He advises organizations to use open-source software so that their own experts can review the code to make sure there are no backdoors that could let intruders in.
Nevertheless, even though many people believe Linux is the best choice for security, it has been under a disadvantage in the marketplace, according to Mr. Heiman of Oracle, because its security features have not, until now, been submitted to an independent body for third-party evaluation. He says this is a particularly important consideration in today's market because of a heightened concern about security in the United States where government requirements insist on certain agencies deploying only products that have been formally evaluated.
In order to enhance Linux's status in the marketplace and to provide users with a higher level of assurance, Mr. Heiman says Oracle is now collaborating with leading Linux provider Red Hat Inc. of Raleigh, N.C., and other members of the open-source software community in an effort to submit the operating system to a formal independent evaluation.
Even though it may take up to 18 months to complete the evaluation, Mr. Heiman says customers will take comfort from the fact that the process is under way.
© The Globe and Mail