Replies Interwoven: On 9/7/06, David Fletcher <fc@xxxxxxxxxxxxxxxx> wrote:
At 02:39 07/09/2006, you wrote: >On Wed, 2006-09-06 at 19:49 -0500, Michael Yep wrote: > > Users should run as restricted users >
So, if we the Linux community can manage to persuade computer users to switch from windows to Linux we've then got a problem with people who don't understand security. If they've always run windows in supervisor mode then they'll just run Linux as root user because they don't know or understand the reasons why that is A BAD THING.
I think it goes beyond this and is in process as we speak! We enjoy not being the flagship here. If I were the richest man in the world, I would need a lot of security. He is (one of them) and he does. So if we become more like him (have more people using our OS) we also inherit the need for more security - we will be more of a target!! We do appear to be a bit more popular - may God help us!
It all boils down to education. If a Linux user can manage to turn a windows user away from the Dark Side then that's very good. But with that power comes responsibility - the responsibility to educate new users to run the operating system correctly and safely.
What I would like to see is: 1. Education for the developers. Secure code, I am suspicious, happens when you know how to build it. 2. Evaluation of the "new" and "old" code. I would love to see some "security testing and evaluation" teams out there. Sort of an organized "gauntlet" we could put our code through to make it more secure in an iterative process. 3. Certification (sort of a UL label or something) of code thus processed. 4. A way to solve the "zero day" problem. As soon as you make the vulnerability public hostile people start writing attacks! We need to be able to find vulnerabilities, make and release a patch, and then make the vulnerability public.
Dave F
May we find a way! Tod