Nat Friedman spouts nonsense, or – Another Novell Open Audio review

Hi, I’m Nat Friedman, and I thought I’d respond to some of your thoughts here.

First, security. I don’t remember exactly what I said during this interview, but people ask me about Linux desktop security pretty frequently and I usually tell them approximately the same story. Linux’s security benefits over Windows on the desktop are one of the main reasons that businesses are currently replacing Windows desktops with Linux desktops on a large scale and so this comes up all the time.

Indeed, ONE of the reasons that fewer viruses, worms and other bits of malware target Linux is that the Linux user base is a smaller, less juicy target than the vast masses of non-tech savvy Windows users over whom virus authors like to demonstrate their superiority. I’m sure I mentioned that in the interview because it’s an importnat factor. But that is only one reason; there are several other layers of security that protect Linux desktop users.

First, at the user interface level, we tend to make it more difficult on Linux for people to accidentally execute scripts or unverified applications by requiring people to save attachments to disk and make them executable before running them. In Evolution and generally in Linux, you can’t just double-click on an executable or a script in your mailer, mistaking it for a document, and run some malicious script. These extra steps protect a lot of people from mistakenly running a trojan.

Second, with AppArmor (in SUSE) or SE/Linux (in SUSE and other Linux distros), you can very easily sandbox an application and specify exactly what types of system calls it is allowed to call and what parameters it can pass to them. So you can, for example, prevent your browser from reading or writing your email or any of your personal directories; or you can restrict an app to only connecting to certain IP addresses. You can create multiple profiles for various applications. This is all very flexible. Both SE/Linux and AppArmor allow you to do this, but AppArmor has some nice UI to make this easy. All of this is based on kernel-level instrumentation and the LSM (Linux Security Module).

Third, because the Linux kernel can use the XD/NX functionality in modern x86 processors, we can systematically prevent buffer overruns, even in poorly written software. These can be prevented at the level of the chipset/kernel; basically you tag certain pages in memory as being data and not code, and prevent someone from running code out of data pages.

Fourth, as you point out, there is a strong separation of user and superuser capabilities in Linux. This means that if a user account is compromised, the entire system isn’t compromised.

And finally, Linux was written by people collaborating on the internet; people who grew up on the internet, and who know instinctively to treat network data as potentially hostile. So Linux desktop code tends to be written in a more secure way; it’s part of our culture.

I don’t remember whether I had time to say all of that during the few minutes Ted interviewed me on the floor at Linux World (and I don’t really feel like listening to my own interview right now), but I do usually try to say all those things.

The rest of your blog post seems to focus on the current way people are running Xgl, which involves running two X servers — one on top of the other. This is definitely a weird setup and suboptimal; it requires us to proxy through a lot of X extensions from one server to the other, and it’s a bit fragile. It’s not where we want to be with Xgl. Ideally there will be one X(gl) server which runs on top of kernel-space EGL drivers. This is the ultimate architecture David is headed for. XEGL would not require two X servers as you describe, but it would give us some other benefits, like being able to run the X server as a non-root user.

In the end, though, it doesn’t matter to our users or me or, I think, anyone else, if the entire world uses aiglx or Xgl or Xegl or some new thing (Xaieglx??) that we haven’t invented yet. What’s great is that Linux is getting lots of great fancy effects which make the desktop sexier and in some cases easier to use. It’s also been nice to see Red Hat (the primary developers of aiglx) coming down in support of Compiz, too.

I’m sorry I didn’t respond to your blog entry till now. I would have replied earlier but I didn’t see it till recently.