As part of a series of articles previewing KDE's World Summit,
aKademy (running from August 21st to 29th), Michael
Renner and Tom Chance interviewed Nils Magnus of LinuxTag about security on the desktop. He is
due to deliver a tutorial
on security on the KDE desktop with Kester Habermann, one of 15 that run in parallel with
the coding marathon. Read on for their thoughts on Linux and Windows security, software patents
Q: Is Linux actually more secure then Windows or is it just less common?
Nils: Well, Linux is in fact still not as common as Windows at the moment. But it
would be fatal to trust that fact when you think about security. We know that
all software has problems. Even with Linux we had occasional incidences in the past.
An example for this is the slapper worm that attacked the Apache web server.
However, the major difference to Windows and all other proprietary software is
that security problems, due the free availability of the source code, are easier to
find and to fix.
In the expert's view, the kinds of current Windows vulnerabilities are
technologically similar to those that we had in Linux and other free
Operating Systems back in the 1990s, e.g. buffer overflows and Off-By-Ones.
Such errors have since declined in Linux.
As soon as a vulnerability is known, the reaction time is in the range of
a few hours for open source software. For proprietary software it often takes
30 days or more; manufacturers call this a short response period.
Finally, due to its architecture, Linux is free of one plague: There are no Linux
viruses! Sophos, the anti virus manufacturer, lists just two linux viruses,
but these have only been of academic interest and are rare 'in the wild'.
After all, the well-engineered system design is based on the experiences of 35 years of
Q: Is physical access to a computer insecure in general?
Nils: Yes, this is generally correct. If the attacker has physical access, the system administrator
has a hard job to make the system secure. This is the reason why server systems
are typically operated in secured data centers.
With desktop system, the focal point of
our tutorial at aKademy, there are some different rules. The subset of people with
physical access to a system won't have such criminal intentions like an unknown attacker.
An encrypted hard disk, restricted user rights, removable media like USB sticks or critical
data at a fileserver help a lot.
And of course we should consider the 'Trusted Computing' issue. It was originally
concerned with this problem, whereas lately is has been abusively confused with 'Digital Rights
Q: How good must security be, or is absolute security needed?
Nils: There is no absolute security per se with computer systems. The administrator's task is to define
and reach a level of appropriate security. We often hear 'there is no critical data
on my computer'. But is this true? Information technology is increasingly becoming a part
of many areas of our life . We won't notice this in any case. Do we access our e-bank
account from the same computer? How would the employer react if in the private web cache
several situations offered are found? And does the music and advertising industry
have insight to every private preference?
Fortunately, a modern operating system like Linux has protective mechanisms that
can be activated and administrated easily with KDE. How to disclose and fix harassment
will be discussed in detail in the tutorial.
Q: What effects do you expect from software patents?
Nils: So-called software patents are a dangerous threat for the small and medium enterprises
in Europe, because they have to spend considerable amounts of time and money in the
check-up for existing patents and the defense of such demands. For that reason
experts and concerned citizens are critical of so-called software patents. Seventy
five percent of the Linux Tag 2004 visitors said they are against software
patents, whilst less than 0.4% favored them.
Q: What hardware and software do you work with?
Nils: I work with a Linux system that was set-up from an installed Knoppix with some
adjustments for a more secure operation. I travel a lot, so I use computers in
environments where I can not be sure about their integrity (e.g. my notebook).
Important data is stored on a central, well-secured place that I can reach via
an encrypted Internet connection. So any computer with a network connection
is sufficient for me, because I always have a Knoppix DVD or a memory stick
Q: Is there something else that you want to say to our readers?
Nils: Safety is a fascinating topic with many aspects. In our totorial we want to
show how you can help yourself to find your own point of view. We will
have lots of practical exercises and demonstrations, so the theory will be
transferred directly into practice.
Q: Thank you for your answers and your time
Nils: No problem.