2009: The Year of Linux on the Desktop

It’s been a joke for nearly a decade (maybe longer) to refer to the current year as “the year of Linux on the desktop.”  For me, it’s been a reality for several years, at least at home.  With my change in jobs last week, I had only a limited equipment budget, and since I needed a new laptop, that didn’t leave much money for a new desktop.  Most of my coworkers have opted for iMacs or Mac Pros, but I opted for a surplus lab machine running Fedora 11.  With the two widescreen monitors and 1 TB RAID 1 that I set up, it clearly makes sense to use it primarily.

Having used Linux in both server and desktop settings over the past 8 years, I’ve grown very comfortable with it, but my first week was not without issues.  The first was that the video card in the machine was made by ATI.  I’m not passing judgment on the quality of ATI’s hardware, but their Linux drivers are problematic.  Fortunately, my officemate had a spare NVIDIA card that I could put in.  A quick run of the NVIDIA setup program, and I had my monitors working perfectly.

The real fun came getting my e-mail set up.  My employer has a Microsoft Exchange server, which I’m required to keep an account on.  I first tried to use the Evolution groupware client, which has some rough support for Exchange.  For the life of me, though, I couldn’t get it connected. So I tried to use IMAP, which also didn’t work.  Of course, that didn’t bother me too much, since an IMAP connection wouldn’t work for calendaring or contacts, just e-mail.

Most of the admins in my group use Google accounts for e-mail and calendaring, so I decided to go down that route.  I set my directory entry to forward my work e-mail to my Google account and set up Google to POP my Exchange e-mail (since mail sent from an Exchange user doesn’t leave the Exchange server).  Evolution has excellent support for Google accounts, including e-mail, calendars, and contacts.  At least, I thought it did.  It turns out Evolution has a fun bug that causes recurring calendar events to not display when the account is added as a Google account.  Apparently, it works if you add it as a CalDAV account, but if the calendar is the primary calendar for an account, the @ symbol in the URL breaks things.

I finally gave up on Evolution and tried Mozilla Thunderbird.  Thunderbird has a calendar extension called Lightning.  With the gContactSync add-in, I can synchronize my contacts as well.  The  account setup was really easy, and I’ve been happy using it.  I just wish I could have arrived at it sooner.

Most of this post has focused on problems I’ve encountered in desktop Linux, but the truth is, most of it has gone pretty well for me.  I’ve used Fedora on my primary desktop at home for years, and most things just work.  Many of the reasons people give for Linux not being ready for the desktop are based on things that have been fixed years ago, or the fact that the problems are different.  All OSes have problems, but when you’re used to the problems of one, the problems of another stand out.

It’s 2009, the year of Linux on the desktop.

A few thoughts on phishing

It’s no secret that I write blog posts a few days in advance.  When I’m on a roll, I am sometimes a week or more ahead.  Well right now it is getting kinda late-ish on Wednesday night, and I don’t anticipate having much time to write on Thursday.  Since I have no other posts ready to go, I have to write Friday’s now.  Difficulty: I’m not feeling very well.  Oh yes, and I’m not really sure what to write about.

I guess I’ll write about phishing. Not the kind you do with your grandpa on a lazy summer day, but that kind that cleans out your bank account and runs over your cat.  It’s been many years since I first started seeing warnings on AOL chat windows letting me know that AOL employees will never ask for my password. Yet here we are, over a decade later and it is still a real problem.  As recently as a year ago, a professor in my department fell victim to one of the “reply to this message with your username and password” e-mails that occasionally get sent to people at large universities.

Of course, most phishing attempts are a bit more subtle.  Perhaps the university (or bank, or whatever) logo, complete with a link to an authentic-looking website.  Just enter your login information and voilà, your credentials are in the hands of the bad guys.  So how do you combat this?

As an admin, there’s not much you can directly do, it all comes down to user education.  Unfortunately, while user education is very effective, it is notoriously difficult to achieve.  People don’t want to bother thinking about whether the message they got from me has a valid S/MIME signature attached.  They’ll probably do whatever I tell them to do, whether or not I’m actually the one telling them.

Some people have taken to encouraging people not to click any links in e-mails (which is a good idea, but let’s face it, we all click links because its too damn inconvenient to not) and putting spaces between each character in the “http://” portion of the URL to prevent mail clients from automatically creating links.  I get the idea, but I think it’s generally silly.  For one, it looks funny and takes up extra space on the line.  For two, it doesn’t really address the problem.  Sure, the idea is that people will copy and paste the URL into their browser, but a sufficiently tricky phisher can create a URL that looks close enough to legitimate such that a distracted victim wouldn’t notice.  It also relies on the fact that people have been taught not to click on links in e-mail, which is pretty much a universal behavior, even among those who should know better.

There’s also some debate on whether or not it is appropriate to tell users about the latest round of phishing attempts.  My take, and several of my colleagues agree with me, is that telling users is a bad idea.  It might seem counter-intuitive, but consider this: if you always tell users, you’ll train them to think that their friendly admin will always let them know when the bad guys are at it again.  So then that one time you miss sending out a message, some users will assume it is legitimate and fall-victim.

So what’s the solution?  If I knew that, my blog would be as famous in the information security business as it currently isn’t. Realistically, it comes down to doing a better job of user education, but that’s hard.  And it doesn’t really address the ‘”how” aspect. Somehow, we have to train people to not click unverified links, and that starts with changing our own behavior.  Greater use of digitally signed e-mail is a good idea too.  There was an interesting discussion on Reddit about this earlier.

Where do we go from here? And how will we try to keep up with/ahead of the bad guys?