Feb 21, 2005 (05:02 AM EST)
Open Source Walks The High Wire
Read the Original Article at InformationWeek
In my previous column, I stated that MySQL AB is taking some of the blame--unfairly, I think--for a recent worm attack that succeeded due to lazy administrators, rather than defective code.
Until the worm episode, the MySQL development team favored a setup process that left basic security decisions, such as whether to use a root password, completely up to the product's users. This approach has its risks: MySQL, like so many other open-source developers, deals today with a much larger user base that is also much less experienced on average than it used to be.
If MySQL makes a few more decisions for its users, such as forcing them to set a root password to improve security, few people are likely to complain about the tradeoff. This sort of thing is likely to happen more often, and it will involve more open-source products. In spite of the damage, both real and imagined, that may result, it's also a problem that will solve itself, as commercial open-source firms build more effective training programs and as today's beginners grow into tomorrow's veterans. In other words, this is a problem a lot of other industries would kill to have.
Does the same lassez-faire attitude apply to the desktop open-source market, and especially to efforts to win consumer Linux users? Security is half of the desktop Linux act, but usability is the other half--and this is a pair that doesn't always see eye to eye. Bear in mind that desktop Linux buyers aren't just converted Windows users; this group also includes a substantial number of first-time computer users who aren't convinced they need one at all. These are people for whom Linux must make a solid first impression, or there likely won't be a second.
Linspire is one of the Linux vendors with more chips riding on Joe Six-Pack than on the Fortune 500. The company's Linspire OS, and tie-in services such as its "Click-N-Run" software database and maintenance plan, are dedicated to turning people who have never touched a PC and who have no interest in technology into happy Linux users.
One trait intended to make Linspire more user-friendly has also raised some eyebrows among experienced Linux users: a setup process in which many new users end up running only the root account. Linspire's supporters--and there are a lot of them--argue that using a root account is no longer a problem, since most of these machines only serve a single user; in addition, Linspire PCs start up with a fully configured firewall and locked-down ports. It's also true that a user can set up non-root accounts quickly and easily, assuming they have some basic PC skills and know why this might be a good idea.
Linspire clearly believes that its setup process delivers a usability advantage that outweighs the security benefits of creating a user account. I personally don't like the idea--it makes me nervous, and most present or past Linux users I ask feel the same way.
We're not the people Linspire needs to reach, however, and I'm more interested in hearing what the rest of you think about the approach Linspire is taking, or about how other desktop Linux vendors have handled tradeoffs between usability and security. There are a lot of companies making up the rules of this game as they go along, and it will be fascinating to see who comes out ahead.