Re: Lindows Issues

[De Velopment <devel () www2 kparker org>]

Hello KF,

On Thu, 18 Jul 2002, KF wrote:

> I am a paying customer and unfortunately if you read their agreements I
> may be violating their wishes by publishing info like that. I may also
> loose my right to be a Lindows insider.

   I'm a "Lindows Outsider" as I simply purchased a Microtel box from the
Walmart web site, so I have no qualms in saying the little that I know.

> This is also why the info that I
> have released I stressed the Xandros side of things and was not directly
> refrencing Lindows. <snip>

   I was not aware of the Xandros part in this.  All I was able to
quickly find was evidence of the Debian GNU/Linux "Woody" release,
with the 2.4.18 Linux kernel.  Unfortunately, there were hardware
problems with the Microtel PC itself (neither sound nor CD worked).
I sent the box back to Microtel and am expecting a new, working one
soon.  However, I had a good look while I could.

   Everybody's worst fears are correct:  Out of the box, it came
up in a modified KDE in ROOT, with no password.  (If I sign onto
KDM under SuSE as root, it lets me, but gives me this red background
with pictures of "bombs bursting in air".  This is done, of course,
to discourage people from doing exactly what Lindows does!)
However, to slightly lessen these security fears, I found none
of the usual services open to the outside world, such as Web,
Email, FTP, SSH or Telnet.  (Lindows, on its web site, says it
also runs a firewall to keep people out).

   OK.  So the default is Root.  The underlying Debian distro
still works so I added my usual three users using the command
line "useradd", with no trouble.  I also put a strong password
on Root and now, when booting up, some sort of XDM is running,
asking for user and password.  However, Root is STILL the default.

   One test I want to run fairly soon when I get the machine
back from Microtel is to sign on to KDE as a normal user and
then see if the special Lindows apps still work.

   So, to summarize, based on Debian GNU/Linux, through Xandros.
Prefers that you run as Root all the time (EEK!)  But Debian
tools are still there to override that behavior.  Outside ports
not open but I believe there may be Lindows-specific Trojans
developed that take advantage of vulnerabilities from within.
I will test further when I get my replacement computer and
will report any significant findings here.  (It may be an
advantage that I simply purchased a Lindows preload system,
as I have not signed any non-disclosure agreements like may
be occurring for the "Lindows Insiders").

   Best regards,

        Ken Parker (devel () www2 kparker org)