Discover LinuxSecurity Features
Linux Legend "maddog" Shares Exclusive Security Insights with LinuxSecurity
maddog, as he’s affectionately known throughout the Linux and open source community, has made a career of being in the trenches with the Linux developers, teaching them the way of Open Source and Free Software development after decades of being involved with technology and education. In an exclusive interview with LinuxSecurity researchers, Jon "maddog" Hall, often referred to as “the Godfather of Linux”, reveals his history with Linux, some of his contributions to the community, a bit about its evolution, and his thoughts on what we might see with Linux in the coming years.
LinuxSecurity: When was the first time you realized Linus really had something special with the creation of Linux and it was going to change the world the way it has?
It took a while. When I first met Linus at DECUS in May of 1994 I saw an interesting project that could help develop research on 64-bit address spaces on top of the Alpha processor. As I talked with Linus I liked him both for his technical expertise, as well as for his personality. I also tried Linux on an Intel computer and was impressed with the speed and “feel” of the system.
Later I began to think about having the same “Unix-like” system, with source code, available across all the different systems. Remember that BSD was still going through the lawsuit and was not available for free distribution.
LinuxSecurity: You've talked about "world domination" with free and open-source software in the past - do you believe we've reached that point now?
We have reached a lot of that in High-Performance Computing, Embedded Systems, Servers, and Android phones, but we are still not quite there on desktops and laptops (although Android-based Chromebooks are biting into that).
LinuxSecurity: What do you think are some of the biggest open source accomplishments?
High-Performance Computing (based on the work of the “Beowulf” systems by Donald Becker and Dr. Thomas Sterling), and the work on the Internet, including the World Wide Web.
LinuxSecurity: How have the Linux and open source communities changed over the last twenty years?
A lot more “Open Source Developers” are employed by companies or have their own companies based on “Open Source” and Free Software.
LinuxSecurity: What impact has the pandemic had on Linux development, implementation, and features?
Not much, since most FOSS projects were developed over the Internet anyway. I would say there has been a large increase in video conferencing tools, and ones that were marginal have many more features and scalability today.
LinuxSecurity: Where do you think Linux has been most successful? Is there a specific industry that has benefited most, like healthcare or finance, or a specific field, like security or web hosting?
Definitely web hosting and virtualization, and with that, security, which is very necessary in an Internet-based environment.
LinuxSecurity: We've talked a bit about open source versus proprietary software as it relates to security. While the application of open-source may not inherently be more secure, open-source design and the concept of "many eyes" provides the ability for it to be more secure. Do you believe this is one of the successes of Linux and open source? What role does the "many eyes" aspect of open source have to the overall security of Linux?
Actually, I do not believe in the “many eyes” aspect. I know of FOSS projects that have only one set of eyes on the code, and while many people *could* look at the sources, only the one person *does* look at it. Of course, the same can be said of much-closed source code too.
I also do not believe in the concept that FOSS is more susceptible to security breaches because bad actors can “see where the bugs are”. If obscurity was the basis of security, then Microsoft would be the most secure system in the world……
In my mind the true benefit of Free Software (and I use that term instead of Open Source) is that the end-user has access to the source code so they can fix the bug when it is found….in professional terms “Mean Time To Fix (MTTF)”. I have worked on (and owned) closed source systems. When the company that developed and shipped that system lost interest in it, you could no longer get security patches for it, even though many people might still be using it. The company might tell you to update to a newer version of their software, but they do not seem to realize (or care) that you can not do that.
You do not have the money to buy new hardware to run the new operating system. The device controller that you have does not work with the new operating system or the new motherboard you have. The software that you use has not been ported to the new operating system or hardware. The reasons go on and on.
While Windows XP was retired more than a decade ago, it is estimated that .6% of the PC base is still running Windows XP. That does not sound like a lot until you do the math and realize it is over 12 million systems. If Microsoft had released the source code for Windows XP, then owners of the systems could have formed a community to keep the system software securely patched… or at least as secure as it ever is.
When Free Software developers detect a bug, they usually supply a source code patch that can be applied across multiple distributions, multiple hardware architectures, and multiple editions of Linux within hours.
Some people say “Oh maddog! I do not have the expertise to apply those patches”. That might be true, but you have the ability to hire someone to apply those patches. It is YOUR choice, and YOUR control of YOUR software. With Microsoft you have no control….it is not YOUR software.
Open-source security is big business. Many of the world's largest organizations have now contributed to the Open Source Security Foundation (OpenSSF) and others to improve the security of open-source software. Google committed $1 million to a new Linux Foundation open source security rewards program after the Linux Foundation raised $10M itself to support open source security projects. Google has committed $100 million overall to support third-party foundations that manage open source security priorities and help fix vulnerabilities.
LinuxSecurity: This is especially important at a time when we've seen an increase in supply chain attacks and ransomware attacks on the nation's infrastructure. Do you think Linux vendors are doing enough to protect their users? Where do you think the most significant improvements need to take place? As organizations shift more resources to the cloud, do you think this is a priority for organizations today? Do you think open source could be the solution to these national cybersecurity concerns?
Security is a big problem and getting bigger and more intense as more and more systems control our daily lives. We can no longer fly planes or use elevators without computers. Autonomous cars are on the horizon. Years ago OpenBSD had a “side project” of developing security-related software and OpenSSH and OpenSSL were created. Much work was done to eliminate buffer overflows, etc. But more work has to be done.
On the other hand, many security issues come from “bad user on device” or improper system and network administration techniques, so even the most secure code in the world will not protect your network… this is where security training and certification efforts like LPI’s come in.
We need to build security in, not have it as an add-on later. We need to train “Mom&Pop” in basic security techniques and not to paste their passwords as a “sticky” on their screens or under their keyboards.
LinuxSecurity: What's next for Linux in the security arena?
I do not know what is “next”, but what I would like to see is a trusted system that enables a secure boot and trusted applications, built-in with a Free Software model and with certificates that can be generated by anyone, not just Microsoft.
LinuxSecurity: We've talked about how Microsoft has discontinued support for many of their products, leaving tens of millions of users unable to keep their legacy systems secure. Do you think Microsoft should open source their legacy applications they no longer support? Do you think this would help to address the outstanding security concerns?
I have discussed some of this above, and I think it would be great if Microsoft was to Open Source all of their products, but I do not believe that will happen, nor may it even be possible. Large corporations like Microsoft often buy technology from other companies or use technologies under license or NDA that may not allow them to share the source code with end-users. Likewise, it is not just the source code that has to be released, but the build environment that has to be duplicated to maintain a whole system. This would cost a lot of money.
LinuxSecurity: What do you attribute the increase in malware/ransomware attacks on Linux systems, or even the use of Linux systems to conduct these attacks?
The greater number of Linux systems doing ever more valuable things is the reason.
Crackers have long used FOSS tools to attack systems to find holes in the target systems due to the flexibility of the systems. Many of these same people typically build better, more secure systems with the information that they find.
LinuxSecurity: Microsoft has changed its position on Linux a few times over the years. Not only are they a member of the Linux Foundation, but they are also submitting patches to the Linux kernel "to create a complete virtualization stack with Linux and Microsoft hypervisor." How do you believe this benefits the Linux community to have an inherently private organization with a history of "embrace and extend" now contributing to the development of Linux? Do you believe they are making valuable contributions to open source initiatives, or just making it easier for their own applications to interoperate in an open-source world?
Microsoft contributes to projects that benefit Microsoft. I do not blame them for that, they are a corporation with stockholders and a particular business plan. I will point out that Microsoft (and many other vendors) love “Open Source” (that mostly benefits the developer) rather than “Free Software” which benefits the developer and the end user by making sure the end user has all the software and facilities they need to rebuild their environment.
Likewise Microsoft has been coming to FOSS events for years, talking about their products and developments and contributions to FOSS people. Yet NOT ONE TIME has Microsoft allowed Free Software people to come to their USER GROUP meetings to freely talk about the benefits of Free Software to their end-users. Microsoft did, one time, allow Richard Stallman to talk to their research group, but not to their end-users. Imagine if Microsoft end users understood that they, the end-user, could have CONTROL of their own systems?...
If Microsoft wanted to embrace Free Software they might start by making Microsoft Office more compatible with Libre Office through the support of Open fonts and Excel macros and ODF, and other methods. But no….
LinuxSecurity: Projects you're working on for 2022?
Caninos Loucos, a long-running program to develop completely open single-board computers in Latin America. It is going slower than I hoped, but it is still moving along.
Project Caua, a program to help college students with paying for “incidental expenses” (room, board, books, computers, internet, transportation, etc.) in countries that have free Federal and State tuition for qualified students. More than forty percent of the qualified students can not take advantage of the free tuition because they are too poor to afford the “incidentals”. Project Caua could help students start their own business supporting small business owners who can not afford a full-time systems administrator.
I am also very interested in the RISC-V architecture and FPGAs.
Finally I am cleaning my house, where I have been “collecting” things for fifty years… it may take me another fifty to get rid of it all.
Jon ‘maddog’ Hall has made a lasting impact on open-source and free software development and continues to be one of the leading voices in Linux. maddog’s expert opinion has given us an idea of what the future might hold for the open source community and where some of the developments have fallen short. Thank you, maddog, for your time and for answering our questions.