British businesses advised to avoid Linux

Security expert undermines very heart of Linux OS

A British security consultant has drawn fierce criticism from Linux experts after advising companies the open source operating system is not secure enough for commercial use.

Speaking Wednesday at the UK Compsec conference in London, Stan Dormer of IT security training firm Stan Dormer Associates, dedicated an entire presentation to the subject entitled: "Linux Security: is it good enough for commercial use?"

Dormer criticised the portrayal of Linux in the media as a practical alternative to Windows variants claiming that for the average user, Linux is not a secure option. His conclusions are based on research carried out by his company over a number of weeks.

According to Dormer's research:

  • Linux requires more user expertise and knowledge than other operating systems, meaning higher administrative and maintenance costs

  • Different Linux distributions install with unknown levels of security

  • Linux requires an inordinate amount of work to prevent passwords being captured and reused. Dormer said the command line prompt makes it easier for input processes to be hijacked

  • Linux has inferior standard logging capabilities

  • NetWare and NT are more flexible

  • Freeware may contain bugs and is not as widely available as commercial software

One Linux security specialist, who requested anonymity, challenged Dormer's research and his credibility: "You shouldn't run Linux if you can't support it and obviously this guy couldn't. As for not being as secure as something like Windows NT, I see many bugs in NT and I can't say I trust it. You certainly can't trust the vendor to fix the bugs."

The security source also disputed whether Linux is difficult to set-up securely. "In about ten minutes you can get a Linux box pretty unhackable running Apache and SSL. NT is an administrative nightmare as the whole logging process slows it down so much." He also questioned whether a novice should be involved with setting up any company's security measures.

But Dormer hit back arguing that his assertions need to be taken in context. He said that in Britain many relatively inexperienced IT managers are charged with making sure their company is shored-up against computer attack. "I'm not knocking Linux," he said, "I'm just being a hard-nosed businessman. With Windows what's going on is far more visible and you can bring your experience of working with Windows 98 and 95 to it."

British Linux developer Jason Clifford attacked Dormer's presentation as wildly inaccurate and misleading. "What was he trying to sell people? You can't get much more secure than having access to source code. Most distributions of Linux have nice utilities for security and I'd say that it's as easy, if not more, to make Linux as secure as any other operating system."

Clifford also pointed out that security is an important issue in itself, regardless of the operating system. "No system is exactly easy to secure. Security is about best practice and if you know good practice it's easier to be secure on any operating system.

Take me to the Linux Lounge

Do you agree with Dormer's research? Tell the Mailroom