
Linux is fast, flexible and free. Experts say that comes with a security cost - apawloski
http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/?hpid=hp_hp-top-table-main_linux-245pm%3Ahomepage%2Fstory
======
jlg23
Ignoring the fact that this article suffers from severe lack of expertise
(~"linux (the kernel) suffered from heartbleed"): The article is playing
extreme positions against each other. Yes, when I am in charge of a company's
security, I'd want my users to require root access (i.e. my blessing) when
they want to join unknown networks - no, I would not want my parents to
require my help when they want to connect to a wireless network at an airport
when waiting for their flight into their holidays.

A pragmatic solution to this is a configurable policy that is determined at
boot time (and immutable ever after). There is no need to discuss with the aim
to reach an agreement - requirements differ and for a lot of use-cases "I
don't care" is just as OK as "no fscking way" is for others.

~~~
Sanddancer
That sounds a lot like the securelevel [1] features the BSDs have. A coarse-
grained system that locks a system down with progressively stronger and
stronger controls. There have been occasional discussions on the kernel
mailing list on adding such a feature, but at the moment, Linus prefers the
capabilities system. A shame, really, because having something to disable
activities that people wouldn't do in a production system would be useful in a
lot of circumstances.

[1] [http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-
current/man7/...](http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-
current/man7/securelevel.7?query=securelevel&sec=7)

~~~
silly1
Securelevel in linux has never had a good time.. its also not working so well
with kexec at the moment, I think its fix in the 4.x series though.

------
bediger4000
This reeks of some kind of PR hit, but there's no obvious candidate for the
source or motivation. The reporter gets some simple stuff wrong, like "The
Linux kernel runs on the New York Stock Exchange", as opposed to a more
correct usage of "Linux runs the NYSE trading" or somesuch.

It also reeks of he said/she said journalism, but the kind where you're
supposed to figure out whether "he" or "she" said the truth, while the
reporter mains a kind of false objectivity.

All in all, not a service to anyone.

------
iamsohungry
If you look at what the experts say in the article, I don't think any of them
say anything that means "Linux is fast, flexible and free. That comes with a
security cost". In fact, I'm not sure the author of the article is even saying
that, although they're certainly trying to cash in on some fear. This title is
misleading.

Ultimately, I think the message of this article, that Linux out of the box
isn't inherently secure, and the culture around Linux needs more focus on
security, is true. But it's also being said in a vacuum, with no comparison to
other platforms. Certainly the experts in question were right to have concerns
about Linux security, but I'd put bet money on the assertion that they have
even greater concerns about, say, Windows.

And finally, some of the problems being blamed on Linux are actually problems
with the tooling around Linux and the platforms Linux is being run on. Android
is inherently always going to be insecure as long as it's running with GSM,
which is fundamentally broken. Heartbleed was an OpenSSL bug. And Linus is
absolutely right that if you are running Linux in a nuclear power plant, you
absolutely shouldn't connect it to the internet.

~~~
OJFord

        > I'm not sure the author of the article is even saying
          that
    

The author, at least, certainly is:

    
    
        > But while Linux is fast, flexible and free, a growing
          chorus of critics warn that it has security weaknesses
          that could be fixed but haven’t been.

~~~
iamsohungry
That's different from saying that fast/flexible/free is coming at the cost of
security. The cost wording makes it sound a) causal and b) unique in this
property compared to other options.

There are security weaknesses in Linux that could be fixed but haven't been.
The same is true of Windows, MacOS, iOS, etc.

That's different from saying, that if you choose Linux, you have to pay the
cost of lowered security.

~~~
autoreleasepool
MacOS is obsolete. I think you mean OS X.

~~~
iamsohungry
If you know what I mean, why are you correcting me? I haven't failed to
communicate my point, and you're adding noise to the signal of the
conversation.

I suspect you think this makes you seem more intelligent, but in reality, it
makes you seem socially inept. Don't be that guy.

~~~
autoreleasepool
I didn't mean to offend you. I just wanted to point it out for future
reference. Simmer down and learn to take a correction.

> I suspect you think this makes you seem more intelligent

Nope, I'm just a Mac developer. I use OS X every day. MacOS was non-Unix
operating system that ran on a PowerPC architecture. You were very far off

> it makes you seem socially inept

If you called Windows 10, Windows XP it would not be socially inept to correct
you __unless you were not in the tech industry. However, since this is HN, I
assumed you could handle it. Sorry!

------
igsmo
When Linus says "To me, security is important. But it's no less important than
everything _else_ that is also important!"

I believe him, but now I'm not so sure anymore with this article. This is a
very disconcerting about the linux kernel, I'm totally freaked out by this
article. I didn't realize that the state of security with linux has come to
this.

My first linux distro was redhat 2.0. And now after almost 20 some years of
using linux, I'm now going to have to switch back to Microsaft Windows!

------
joesmo
This article is so poor, it's not worth reading. I know the author and
publication usually have no idea what they're talking about, but if their
whole point is based on their misunderstanding, then the article is just
garbage. Heartbleed and shellshock have nothing to do with the Linux kernel.

------
ai_ja_nai
THe article seems to miss a crucial point: if everything is so screwed up, why
it has been the dominant technology for 24 years? I mean, we are all still
there alive and breathing.

~~~
2bluesc
> if everything is so screwed up, why it has been the dominant technology for
> 24 years?

I understand your point, but why is Windows a thing?

------
jenkstom
That's a pretty horrible article. There are security extensions to Linux like
SELinux. There is nothing stopping anybody from forking Linux into a more
secure version. That would be the best way to solve the problem.

The only result of this article is that I have a lower opinion of The
Washington Post than I used to.

~~~
_yy
Well, Grsecurity _did_ maintain their own Linux fork for the past ten years
with an excellent security track record. The issue is that mainline is not
interested in merging it, leaving most users vulnerable (since using a Linux
fork in a production environment is something most users aren't going to do,
even if there are clear benefits).

------
methehack
link bait, right?

------
eloff
This is a really crappy article. Light on technical details, and wrong on
some. The Post should ashamed to publish this.

