That's great, in theory, but the published code is what the community can review, not the binaries. I suspect that, even here, few individuals recompile apps after inspecting the source code.

Thus it is not community review but trusted sites that is the key. Open source allows a trusted site to recompile binaries and verify that they match the developer's compiled binaries. They can also review the code and run it past malware scanners. I would hope that sites such as Maemo do this on a regular basis.

Linux is in no way malware free. It's enough of a problem that there's a Wikipedia article on it with many other articles discussing the particular nasties that have been found:

http://en.wikipedia.org/wiki/List_of...mputer_viruses

I think it can be summarized in this way:
Yes, it can happen with an open-source operating system on your phone just as it can with closed-source. Neither inherently provides you with more or less security, as such, but in the current ecosystem, open-source tend to be more secure because there's a more immediate response to exploits and bugs. This doesn't mean open-source always respond immediately because that's at the whim of the maintainers, but that it has a tendency to do so because those with a need and interest in security will often participate in reviewing and patching and releasing secure code, whereas closed-source software prevents an effective means of having a public and massive effort of reviewing and participating.

In short:
If I care about malware and trojans, first and foremost I should protect myself regardless of which type of operating system I'm running, THEN I'd prefer open-source because OTHER like-minded individuals are protecting themselves as well and I can benefit from that.

The former leads irrevocably to the latter - In the case of Linux users who download a source code 'package' of one sort or another, the application is compiled locally. It's not possible to compile a set of source files and have the result be anything other than the binaries derived from that source code.

The big distro makers pre-compile source packages into installable binaries, i.e. RPMs for the RedHat derived distros, PKGs for the Debian derived, etc. This effectively separates the binaries from the compilation process that produced them, so a higher degree of trust is needed on the part of the end user. Most distros demonstrate their trustworthiness by digitally signing their binary packages using GPG or some other key-pair type scheme, making it easy to determine if a binary package has been tampered with or not.

There are a relatively small number of entities such as Adobe (Flash, AdobeAir), CyberLink (PowerDVD for Linux) and some others I can't think of as I type this, who only make binary versions of their software available. They are effectively saying to their end users, "We refuse to show you any evidence that this software is benign in terms of the security of your system and/or data. You'll just have to trust us".

Finally, the security model in Linux is diametrically opposed to that found in many version of other widely used operating systems. The Linux way is that the default user access is always non-administrative, making accidental or deliberate tampering at system level more difficult. The other (OK, I'll say it, the Windows) way is that users by default have free rein over the majority of the operating system. It is this fundamental difference in approach which makes Windows-based malware relatively easy to write. The greater deployment footprint of Windows compared to Linux or MacOS ensures that malware can spread more easily too.

I have spent almost 10 years deploying and maintaining Linux in ISP data centres for both infrastructure and managed/colocated hosting purposes. In my experience, the usual chain of events is that malware gets onto a server as source code, is compiled locally, exploits a vulnerability elsewhere in the operating system or the packages provided with it to gain root access and then begins to do it's dirty work. Particularly for web servers, having /tmp as a file system on its own partition, mounted with noexec, nodev and nosuid flags set, and changing the permissions on the gcc binary to make it executable only by root, will greatly reduce your exposure to most of the more common Linux exploits currently out there.

For me, a risk is lack in polish in applications leading to customer frustration or dis-satisfaction.

People have explained that open source computer environments are much less prone to these things than close source ones. Just look at the number of viruses, trojans, keyloggers etc. for Windows (hundreds of thousands), compared with the number for Linux (very few, but not zero).

That said, I have seen two compromised Linux servers in my career; it does happen.

But the smartphone world is a little different.

Unlike a laptop or desktop, closed source smartphones are quite restrictive about what you can install. So you're not as likely to install malicious software on a closed source smartphone, compared with a Windows desktop, simply because you aren't allowed to: the only things you can install are "approved".

Whereas on Maemo, you have freedom to install any old junk, and the temptation is surely there to install things you haven't compiled yourself...

We rely on the community to check things, and for the most part, it does. We also rely on distributions, in this case Maemo and Maemo-extras, to check things and often to ensure the source matches the binary. Amd, when something is found out, if you are updating regularly, there's a good chance it will be fixed quickly.

The same applies to closed source: with their app-approval processes, that provides a similar kind of checking.

But a major difference has to be on Maemo you can install anything, from anywhere, if you are stupid or if you are tricked into it. With closed source smartphones, that's harder.

It has been said that Linux is inherently more secure than Windows, by design. But it's also been said that Windows has so many malicious programs because of user culture / knowledge / security practices, and simply because it's the more popular platform so it attracts malicious software writers, which combined with the ease of cracking it, tips the balance strongly in its favour.

N900 looks quite a tempting target, if it gets a huge amount of users.
But it is developed by people who are quite security conscious, and a community which is also conscious of such things.

So it remains to be seen which smartphone gets the first virus making premium-rate calls in the background...

Well sure. You're limited inherently in what you can do, but that doesn't in any way make it a good thing. After all, you really only have a handful of options:

- Apple's method, where no apps run without Apple approval
- Symbian's method of tiered access
- Maemo's method, which gives the owner total control

Well yes, if you download and install things blindly like most windows users you will end up with one or more malicious bits of software in your system. That's the price of being irresponsible.

Trust is very important. It's what open source and pretty much every distro is built upon.

Do you know they perform that kind of checking? How do you know that app you just installed isn't subtly snooping on you? The few that have been accused of it were all caught by people -after- it had been on the store for a while.

"With great power comes great responsibility!"

It inherits from 30+ years of UNIX design philosophy. It can't solve the problem of PEBCAK nor should it try. The only way to do so is to strip the user of all power, which is quite nasty and why Stallman started the FSF.

Any software with a large, mostly ignorant user base is open to exploitation. This is why education in technology and modern forms of communication need to be a lot better. Computers are far too powerful to be left as a black box, and far too useful to be turned into a locked black box.

So if you feel that installing everything you see on the internet is a good idea, no matter how questionable the website or dubiously useful the utility, then by all means avoid the N900. If you're prepared to be a little responsible and practice safe computing (it really is a lot like what you're thinking, I know) then you can enjoy a far more powerful device than most without trouble.

With Android users can install applications outside the marketplace.

With the iPhone you can install applications outside the store if you jailbreak it (or go through that weird sharing thingy that you can only distribute to 5 people?). I think there was also recently a thing where a developer of a popular iPhone application was caught taking phone #s or something (I didn't read much into it).

If tomorrow everyone were to wake up and start using Linux instead of Windows, Linux would probably not be up to the task of defending itself against the deluge of hackers that would switch over from exploiting windows.

I quite frankly doubt the internet would survive this period in its current form.

Within a year, though, you would probably find that Linux had fully recovered and was in a slightly better position, security-wise, than Windows, for the sole reason that there would just be more people working on it than Microsoft can afford..

Then you end up with fun incidents like the guy who guessed the default root password on jailbroken iPhones and left all of them a message. Nice little security hole, that one.

They were apparently snatching the numbers from the phones in the free version, and calling them to try and sell the full (paid) version.

It already has enough of an install base that it's under fairly heavy, constant attack. The majority of Windows' problems stem from the user base, which (as I noted before) doesn't install security patches and basically suffers from PEBCAK. Nothing can solve PEBCAK without treating the user as the enemy.