Back on the first of September I wrote an article about Android, in which I pointed out that Google’s mobile operating system seems to be primarily designed to help sell things. This eventually led to a discussion thread on a subreddit devoted to Android. Needless to say, the fanbois and fangrrls over on Reddit didn’t cotton to my criticism and they devoted a lot of space complaining about how the article was poorly written.
They had me there; admittedly it wasn’t one of my better efforts.
The one comment that caught my attention, however, wasn’t complaining about me or my obviously misguided opinion. This commenter said something about how my article came from a FOSS site and made some snarky remark about how as open as Android is, it would never be open enough for those whiny FOSS people. This is the kind of remark we see all the time from tech people, user and developer alike, who think OSS is as free as it gets and don’t understand the distinction between open source and free and open source.
In other words, sometimes it’s the people who’re the closest to us in opinion who become our biggest ideological detractors.
I paid the thread and the comment little mind; I just found it curious that fans of an open source project can so easily take umbrage at those of us who have one foot firmly planted in their camp. I’m always surprised by how much OSS supporters hold us FOSSers in contempt.
However, that’s better than others who don’t even know enough about FOSS to have developed any misconceptions — other than the big misunderstanding that FOSS is just like any other software.
A few weeks back, probably at about the same time I wrote the article on Android, I received an email from Samantha, an “Affiliates Relations Manager,” wanting to interest FOSS Force in becoming an affiliate for an e-commerce site which sells discounted proprietary software. As I didn’t figure that many people who regularly visit a site with FOSS in the name would be in the market for proprietary code, discounted or no, I ignored the email.
About a week later I got another email with the subject, “Did you receive my previous email?” It was Samantha again; she really, really thought that FOSS Force and her software selling partner would be a perfect fit. I remained unconvinced and again ignored the email, figuring that would be the last I’d hear from her. Most affiliate marketing companies don’t try to interest me more than twice for a particular client. After the second go, they’d usually rather wait until they have another client to use as bait on the hook.
Not Samatha. On Friday I received a third email. She was still wondering if I’d received her previous messages. She still thought FOSS Force would be a perfect fit for her client. “We sell retail, OEM and discounted versions of software titles from Microsoft, Adobe, Apple, Autodesk, Corel, Intuit, McAfee, Symantec and many more,” she gushed.
Obviously she doesn’t understand FOSS or those of us who advocate its use. She’d probably seen the site, noticed a lot of writing about computers and software and jumped to the conclusion that we’d be great for her software hawking client. I wouldn’t doubt that she’d Googled the term “FOSS,” but got no further than the word “software” when reading the definition.
This time I broke down and sent a reply, thanking her for her interest in our site. Unfortunately, I explained, almost all of our visitors use Linux and most of your client’s software won’t even run on Linux. Besides, I went on, our site advocates the use of free and open source software and a large percentage of our visitors would take exception if we were to offer software by the likes of Microsoft or Apple, even if it would run on their machines. As for McAfee and Symantec, I explained, our visitors rarely need antivirus products.
I have no idea how much of what I wrote she understood, although I would’ve liked to have been a fly on the wall when she read the email.
If you ever gets a client that might be a better fit, I ended, please get in touch with me.
I can’t wait to see what she’ll suggest we try selling our readers next. How about discounted iPhones and iPads? I can see her email now: “I notice from an article you wrote that you don’t like Android, so I though you might be interested in offering your readers a discount on Apple mobile products…
If that happens, I won’t try to educate her again.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
“Don’t let the bastards get you down.” Just ignore them and keep doing what you have to keep doing.
Only speaking to the lack of need for AV here, but as FOSS gains marketshare you’ll see more viruses become prevalent, just as it is being seen with Android today. The reason you don’t really see this in server “space” is due to the people managing systems in that space being very technically savvy and understand enough about securing these systems to protect them well enough, that and the majority of infrastructure not actually being out on the edge helps too.
In the last two years FOSS has had a lot of black eyes via both locally and remotely exploitable vulnerabilities. FOSS isn’t targeted often because it isn’t a target of sufficient value, yet.
My experience in dealing with OSS people as opposed to FOSS usually falls into one of two camps:
1) Either they really don’t understand the differences and think the distinction is unimportant.
Or
2) They are actively looking for a way to exploit OSS to make a proprietary product and FOSS would get in their way.
It’s usually worth explaining to people in the first group why the differences are important for all of us. People in the second group are typically not worth talking to.
@Andrew, you are wrong. You fail to understand how Linux security mechanisms work.
The reason we see Malware… NOT Viruses, but Trojans, on Android, is because Google have broken a fundamental principle of Linux security. They have allowed Binary only submissions of applications into the App Store (AKA Software Centre or Software Reposirory), with very little oversight, something for all it’s faults Apple handles much better.
The fact of the matter is that Microsoft Windows would benefit from a well run and Policed Software Centre, this would reduce the number of Malware hitting Windows… It wouldn’t stop Viruses (which are a special class of Malware that self propogate… at least on Windows, due to the architecture of Windows) completely.
Viruses don’t work on Linux based systems because they require direct root access on the next machine to propogate. So while it is possible to get the first infection started, through Social engineering, for example, it becomes increasingly more difficult to get the next victum infected.
Trojans, which of course you are talking about, are a slightly different case, as they require the willing participation of the victum, In Android that is relatively easy, as Google don’t police the App Store well, and seem to not care much about it, so long as there are lots and lots of apps available.
So while it is true that there is the potential for the spread of certain types of Malware in newer Linux Systems, for example Ubuntu Phones and Tablets, and indeed Desktop systems such as Laptops. If the Software Centre is well policed, as it currently is, it is unlikely that Malware will be any greater threat to new Linux Users than it is now.
Tracyanne, I’ve spent more time deep in the Linux security “weeds” than you ever have or ever will. I’m not wrong, but thanks for trying to set me straight. Viruses and other exploits don’t need “root”, they simply need a vector and that vector can be any account or exposed service that can be exploited to gain access to a system or to data.
Proving you wrong is as simple as…
https://www.trustedsec.com/august-2014/chs-hacked-heartbleed-exclusive-trustedsec/
Actually Andrew it tends to support my case. Read that article again.
No, it really doesn’t. I’m sorry you don’t understand that, and that you don’t understand how Heartbleed works. Here’s an example that you can peruse.
http://www.exploit-db.com/exploits/32791/
Keep in mind that this was a remotely exploitable vulnerability in FOSS (openSSL) that leaked information that can and was used to gain access and do more damage, all without access to a root account.
Again, you don’t need root, you only need an exploitable vector. I’m not sure what textbook or forum you read that led you to believe you must have root to do damage, but no data of value is ever stored under a root account. Not only that, but the apps that tend to host that critical data also don’t normally run in the context of root. The only things of more than trivial value that you gain by reaching ring 0 (what you call root) is the ability to turn off the firewall and start listeners on ports under 1024, or to destroy a system if you desire.
Further, there have been a few vulnerabilities over the last year that allowed one to gain ring 0 access including one vulnerability that allowed anyone with a local account (gained by data captured by heartbleed perhaps?) to bypass selinux entirely as you did so.
Maybe it’s time to stop pretending that you know everything and time to stop spewing bad information in forums around the internet and actually educate yourself.
Here’s a link that might help get you started.
http://www.exploit-db.com/platform/?p=linux&pg=88
Hi, Christine, I’ve been too harsh against English, when obviously all languages have problems, ambiguities and the like.
But this “free” versus “free” annoys me to no end. I figured a catchphrase which is “I like to pay for free things”, which clearly separates those with the right mindset (Freedom) from those which are just materialist. But, yes, as you say, most people probably consider thinking about Freedom a waste of neurons. And in their case, they may be right… ;-P
Fixing that link, and adding a few views…
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=&filter_platform=16&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=&filter_platform=22&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=&filter_author=&filter_platform=21&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
I’m a FOSSer. I’m also a ‘truth seeker.’ The truth matters to me, just as it did to Lovecraft:
http://www.skeptical-science.com/essays/letter-religion-lovecraft/
Perhaps this is the kind of thing that separates out the pragmatic OSSer from the FOSSer. I choose to use FOSS because it’s ‘real’ – and embrace the GPL because I see a moral imperative in free code that has attribution, lineage, and user rights all taken into account. However, many of my friends and colleages choose pragmatically and can’t understand my apparantly naive and/or dogmatic approach to software.
Hey Truth Seeker,
I don’t think you are naive but I do see how your friends don’t understand your approach to software. Most people simply don’t care. It is irrelevant to their lives.
I have friends who are vegan. They can tell me why they are vegan but I don’t care. I’m not going to adjust my lifestyle to that degree for reasons that are completely irrelevant to me.
I used to almost exclusively use FOSS software. I learned Linux on my own and figured out how to get it installed on my xbox. It was a wonderful experience and my years of using FOSS contributed more to my current knowledge and employment than school ever did. I had a Slackware desktop for 10+ years.
Right now I’m typing this reply on a MacBook Pro. I have a baseball game on tv and the MLB app on my iPad giving me live updates of what pitch was just thrown, the speed, the position in the batters box, and if I want I can open a menu to show me the arc the pitch took.
I got a text message on my iPhone. It showed up as an alert on my iPad and MacBook and I replied via my MacBook because touchscreens are sometimes a pain.
I was just playing a video game on my Windows PC. After work it find it relaxing to zone out with a game for an hour. Steam has recently supported Linux, but not the game I was playing. A lot of Steam games are available for OS X too but not nearly as much that are available for Windows.
Really great, awesome things like this simply don’t exist in the FOSS world and I haven’t even begun to scratch the surface. I understand the ideals of FOSS, but most people don’t even know what an operating system is and really don’t care about software licensing. They want things to do what they want.
I use plenty of FOSS software on my MacBook. It’s nice too because it’s a proper *nix environment, so most FOSS applications Just Work.
But there is ideology and there is reality. Pragmatism will always win when the ideology is completely foreign to anyone who isn’t into FOSS and technology.
I find that a lot of people misunderstand the concept of free and open source software. Most times they think of free as being “no financial charge”, and they’re partly right, the REAL definition of free would be “free” to alter the code, distribute it to whomever you want, and even charge a price, as long as you don’t infringe upon the GPL. As for the discussion on viruses and hacks against most Linux platforms, I have to say that while there MIGHT be a lot of scripts and code out there that CAN hack into a Linux machine, the odds are greater that those won’t even be used, mostly because most places that stand to lose a lot from being hacked use a Windows server backend, whereas the place you’ll find most of the FOSS/Linux/UNIX software? is on some geeks’ PC in the basement or garage of his home, and the most important info you’ll probably glean is the password for his Unreal Tournament server, which will allow you to alter his characters look and steal his experience points..LoL! But the few places that are using Linux heavily, and who haven’t been hacked or aren’t likely to be hacked are places that really don’t “interest’ the common hacker…(the STScl that administers the Hubble Telescope, the Large Hadron Collider near Geneva Switzerland, and other places that don’t really have much financial gain for the common hacker)and most home users of Linux have enough technical savvy to avoid getting hacked by using the rootkits, AV’s and other “weapons” to keep their systems protected, and with the advances being made in SELinux, and other security features like hardened kernels, and encryption processes, one should not find themselves suffering from a hack of any kind. Needless to say the mantra of not clicking on unknown links within emails, or little gif’s and other erroneous things on a web-page can go a long way to keeping your system safe….I’m just sayin’!…LOL!
Hey tracyanne, check this one out.
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
“A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. If you have have Microsoft Services for UNIX you will need to patch ASAP.”
About that “security” you were touting. Have a nice vector..I mean day.
I don’t understand the misconception that there are no valuable targets running Linux. The freaking stock markets run on it, for crying out loud. You don’t get more valuable than that.
No software is perfect and anything can be hacked given enough time/effort.
The biggest threats on servers are network services with open network ports, e.g. HTTP, SSH, etc, especially those which do not receive timely updates. The biggest threats on clients are web browser vulnerabilities and end users running untrusted software. The client side issues are harder to fix and as desktop linux use grows, it can be expected malware issues will increase.
That said, I’ve worked with security on both Linux and Windows and there are some things in Linux which which can mitigate attacks and actually can make it more secure than Windows:
Executable bit – Windows lacks this concept entirely.
Ability to run the entire system from a read-only file system and limit executable code to specific file systems via mount options – good luck trying that on Windows.
Digitally signed repositories removing the need for users to run random code from the web – Windows’ app store removes some of this need, but only through complete corporate control over what can be published.
Least privilege – A properly configured sudo (no, Ubuntu is not) is more secure than Windows UAC because of compromises Microsoft made in its design. It takes minimal research to prove this.
There are other differences, but these are off the top of my head.
I believe distros should do more to take advantage of features of Linux to make it secure by default. Most distros are not really that secure. The OS itself CAN BE MORE SECURE than Windows by nature of its design, however generally it is not set up that way and requires a savvy user to leverage. Depending on savvy users is not really scalable to mass adoption…
Mike, you’re right, it absolutely CAN BE but it’s not by DEFAULT which is really the most important lesson people need to learn. You’re only as secure as your weakest link, and that’s most often people.
Excellent article and, other than the predictable “Oh yeah? Well, open source would get viruses too, if it was popular. So there!” ones, good comments, too.
As for the people who don’t understand freedom, ask them this: “If a slave is made free, does that mean you can get one without paying?”
I’ve found that it’s not worth trying to explain free software to anyone who isn’t already sincerely interested.
Actually, I can see Samatha’s reasoning: If someone is considering using FOSS programs only because they cannot afford the non-discounted price of proprietary (or cannot justify that expenditure) then her client’s offerings might be of interest. How she figures that those users would end up at FOSS Force is another question.
Andrew,
I agree completely.
I think a lot of people mistakenly assume their desktop Linux machines are secure simply because “Hey, it’s Linux!” when they are mostly benefiting from the fact that that vast majority of malware they are likely to encounter via their web browser is made for Windows due to Windows machines historically comprising the bulk of the web browsing population. Note how this is changing to target Android more all the time as mobile surpasses desktops as the dominant browsing platform.
The answer to whether Linux CAN be more secure than Windows is clear: Yes it can.
The answer to whether Linux (on desktops in general) IS more secure than Windows is less clear: Often it is, but mostly due to external factors like market share, because it typically requires manual intervention and specialized knowledge to leverage its inherent advantages over Windows.
@Tyler Olson “How she figures that those users would end up at FOSS Force is another question.”
All I can say to that is, Yup, you got it.
On the security argument–let us not forget that Windows machines are also likely to in practice fail to make proper use of whatever security Windows has to offer. I think it very likely that the typical basic Linux desktop run by someone with little understanding of security, will still be far more secure, or at least less insecure, than the equivalent Windows desktop.
Why? Because on Linux the easiest way to get software is via the distro’s repository, and because attachments don’t get to execute unless you say they should. It takes some degree of cluelessness in this day and age to click on random attachments that claim to be documents, but it takes rather more to click the thing saying “Do you want to run this document as a program?” The latter cluelessness level is probably less common than the former, so even given a typical average user distribution, the modern Linux desktop is still probably safer than the modern Windows desktop. Attackable? Sure, but that’s really a question happening at a different level of target. Nobody’s going to painstakingly muck about gathering random information with Heartbleed and browsing for the important bits if it’s just to get access to Joe Shmoe’s home computer. For basic desktops the important question is, “Is it more secure against things like spammed emails with bad things in them, or the downloading of bogus software?” On such questions, for Linux the answer is “Yes, for practical purposes it IS more secure.”
Looks like we’ve got an MCSE by the name of Andrew here, folks. Either that, or he’s an employee of Microsoft, Apple, Adobe, or some other proprietary software company. Those sorts of companies do employ people to troll on FOSS-oriented sites, unfortunately.
As for the that clueless Samantha person who emailed Christine, well, Samantha is simply lazy. Didn’t bother taking the time to actually research who she was trying to sell to. She’s just blasting out emails the way spammers do and hoping that some of ’em, somewhere, stick. I would’ve SMTP-tarpitted her IP address after the first such stupid, clueless email of hers.
–SYG
@Sum Yung Gai Just so you know, Andrew spent several years as the founder and lead developer of a popular GNU/Linux distribution that’s still sorely missed by many.
Well that didn’t take long..Wait, I’m an MCSE now? WOOHOO! Let me go call “Uncle Bill” and tell him the news!
Yup, Andrew, you’re the Darth Vader of Linuxdom, Yoda disguised you are.
Oh..umm..It is useless to resist. Don’t let yourself be destroyed as tracyanne did. There is no escape, don’t make me destroy you. Sum Yung Gai, you do not yet realize your importance. You’ve only begun to discover your power. Join me, and I will complete your training. With our combined strength we can end this destructive conflict and bring order to the free and open source software community.
Why am I always the bad guy? haha
Don’t get carried away, Andrew. You’ll scare all of our nice visitors off. 🙂
Sorry visitors!
Nothing wrong with MCSE’s. 🙂
I don’t mind saying that I was an MCSE, MCSD and even an MCT (Microsoft Certified Trainer) at one time. I made a decent career out of supporting Microsoft products and technologies. I didn’t even mind Vista (shock, horror). But I always dabbled with other tehcnologies…my first Linux install was Slackware in 1997 on a machine which also had Dos 6, Win 95, NT 4 Workstation and Server, and OS 2 Warp, all multi-booting. But I never spent significant time with Linux until late 2012. I had access to Win 8 before it was released through MSDN. It took a while for me to realize the problems with Win 8 and I can list multitudes beside the typical Start Button nonsense. I think that is just when I realized: first how big the world beyond Microsoft tech really was, and second that I was growing tired of playing Microsoft’s game of technology Whack-a-Mole whenever they felt like changing something arbitrarily, i.e. constantly.
I’ve been using Debian primarily since then, along with a few other distros on the side although I am partial to Debian because of their commitment to freedom. I am working my way through Linux From Scratch at the moment. I picked up my Linux+ (LPIC-1) certification earlier this year and I guess you could say I’ve “seen the light” of FOSS, although I was always of the opinion that the concept of intellectual property was something of a joke.
At the end of my Microsoft journey, I’d describe myself as something of an advanced C# developer with a little F# experience and a lot of Microsoft infrastructure experience (AD, DHCP, DNS, etc.) thrown in. Currently I’m looking to get back to that level of comfort, but with Linux. My biggest hurdle has been missing C#, the Visual Studio IDE and the refactoring tool Resharper. I’d love to be able to create on Linux the things I was able to do with those tools, but I’m still learning. I’d also love to be able to ged paid to do something along those lines…still working with Microsoft tech to pay the bills for the most part.
Don’t discount someone just because they have a Microsoft background.
I definitely don’t Mike, I’ve met some sharp Microsoft engineers in my time, but some people seem to think people of FOSS can’t have any opinion except the one given to them in this community, if you think for yourself you are a troll, a shill, or you are being paid to say whatever it is they don’t like. It’s the law of the FOSS land sadly, and one of the reasons I left. These days, I just poke fun at it because it’s just so insanely silly that you can’t help but laugh at it. Don’t see it here too often though fortunately, this is a great site with great people.