Celebrity advice on keeping your Linux desktop secure
Posted by: Anonymous
on February 03, 2008 05:31 PM
The advice to enable automatic daily updates of software is a horribly bad idea -- that (in)security model does not work for MS Windows, why does anybody think it will work any better for Linux distro's? There are two fundamental problems with that model, number one biggest problem is the tendency of some distro's (cough cough *RPM*) to release updates with broken dependencies. In fact one of my earliest experiences with leased servers was to one day get locked out of ssh access because of auto-updates that created a version mismatch; here I thought I had escaped that madness by switching to Linux. When this happens your Linux box will get hosed almost as bad as when MS does it, the only difference is that MS does it a lot more frequently (constantly?), whereas the QC for Linux distro's is usually higher. Also it is *much* easier to fix the Linux box -- just copy a couple of files, with MS doze you often need a full reinstall.
The second reason to avoid blindly updating your software is because of the the potential for the updates to get hijacked. It's a very attractive target and sometimes mirrors do get cracked. Thus with one fell swoop you have compromised any computer which uses that mirror for auto-updates. Happily it usually gets discovered pretty quick. So my rule of thumb is to always delay the update until it's been vetted. If you manage a bunch of computers, then sure go ahead and do the auto-updates, but point them to an internal mirror that you maintain and only place fully vetted software on it and make sure you have sufficient access controls. It's easy to set up your own mirror with Linux, but if you aren't a 500 company forget doing it with MS. -- codeslinger (compsalot)