By Jon "maddog" Hall
It all started with the well-publicized troubles of people trying to break into Google's systems using closed-source web browsers from a certain well-known closed-source software company.
Usually I ignore the issues people have with viruses, spam, and security holes in closed-source products, other than explaining why certain well-known operating systems and application suites are probably more susceptible to these types of issues than FOSS operating systems.
To be fair, when people ask me whether Linux is "secure," I patiently explain that no operating system is completely secure unless it is removed from the Internet, with the power turned off, and an axe through the disk drive. Some friends at the National Security Agency (NSA) would add that the semiconductor memory would have to be scrubbed and the disk ground to fine powder and burned ... but they are perfectionists.
Even Linux system logs have to be monitored constantly, with anything suspicious noted and acted on. Filesystems should be encrypted and (if you have the staff and machines) "honey-pots" set up to confuse and distract crackers trying to break into your network. The use of non-mainstream distributions with non-Intel instruction sets on your firewall might also give you an additional level of protection against attacks, and you should definitely remove any services and application software from your systems that you don't need.
However, I have read a number of articles about Microsoft patching their software, then retracting the patches, and about "Microsoft Tuesdays," the day that Microsoft seemingly sends out their patch sets. Then I read that in the month of March, Microsoft would be concentrating on applications, leaving the operating system to other months. I swear, I am not making this up!
I guess my question is: Do people who are trying to break into this closed-source operating system follow this calendar? Do they stop attacking the operating system in March and just concentrate on the newly patched applications? And what about batching of patches? I understand that when you patch some part of the operating system, you might have to patch other parts to make them compatible, but why do Microsoft patches always seem to come in service packs? Are exploits batched as well?
A recent report by a reputable online magazine announced that a Microsoft patch would be released the following week, but the magazine could not say what the patches were or what the functionality would be - only that there would be a release.
I wished that Linux systems could get as much attention from the press ... , but this is not the type of attention I would want. I prefer the way patching happens with Ubuntu. I install my software from a DVD, then I pick the packages I want on the system. Over time, when I need additional functionality, I go to the "Ubuntu Software Center" in my Applications menu and search for the software I need online. I click to install the software. Sometimes I'm told that I need additional packages, and it proceeds to select those packages for me. Then the software installs over the network.
From time to time, I start up my system and log in. The Update Manager starts up and checks for updates (either security or major problem areas) for the software I have installed. If updates are available, a little flag goes to my taskbar and waits patiently for me to click on it to see what should be installed.
I could just click to have every patch installed, but I typically read the information about each patch that tells me why I should apply it and what the patch is doing. I do not remember ever having an issue with the explanation, and normally I just click to install all of the patches. The patch manager then tells me if I have to restart my browser or the operating system depending on what was patched. Typically I do not have to restart either.
I have not tried any of the other distributions of Linux for this type of support in quite a while, so perhaps the other distributions are not as pleasant as Ubuntu, but it does make me angry when I hear Microsoft users smugly talking about the "lack of support for Linux" while waiting for Patch Tuesdays.