XandrosOS: User-friendly to a fault

Linux with all the drawbacks of Windows

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Reg Review XandrosOS is a good-looking, Debian-based Linux distro designed to lure Windows XP users. It's exceptionally easy to install and use, has good hardware and peripheral detection and good multimedia support, offers Windows networking compatibility, saves one money -- and the desktop, a tweaked version of KDE, even looks like XP to boot.

The documentation is good and covers all the main points of system configuration and administration in adequate detail.

Xandros wisely includes Crossover Office, an emulator enabling one to install and use Microsoft Office on Linux. This is good for Excel and Word, but the idea of using MS Outlook, even on Linux, concerns me from a security point of view. It would be wise for Xandros to include Ximian Evolution, which is safer than Outlook, looks like it, and works just as well, and encourage users to chuck Outlook in favor of it. People can use Excel and Word happily with Crossover Office, but Outlook, and (heaven forbid) Internet Explorer don't belong on any computer.

The default browser and e-mail client are Mozilla and Mozilla Mail, an excellent choice. Mozilla is free and open-source, and gives the user good control over script execution, images and popups, and data traces -- far above the mediocre baselines established by Internet Explorer and Outlook Express.

The Xandros file browser is a heavily-tweaked version of Konqueror. It's been designed to look like Windows Explorer and has contracted Microsoft's terminal case of My-itis: My Linux, My Documents, My Home, etc. But this is reasonable; the whole idea here is a Linux box that will seem familiar to Windows users.


Just like old times. However, navigating from the shell can be a problem since a number of directories have been re-named to conform with Redmond's august conventions. Still, Krusader is a good file manager / Web browser / sort-of FTP client, and Xandros' version can easily be configured for a bit less Redmond emulation and a bit more serious business.

The package manager, called Xandros Networks, is good, allowing for both DEB and RPM installations. It will automatically check dependencies when packages are installed, though silently. It can also automatically fetch package updates from the Xandros server.

Xandros succeeds in ease of installation and ease of use. A Linux novice can get it up and running without bother. Indeed, the press release for reviewers urges one not to compare it with Linux, but with Windows XP. But there's actually a bit of unintended irony in that: Xandros does compare favorably with Windows XP; it's only in comparison to a solid Linux distro that it falls on its face.

There are a number of problems, most of which are related to its eagerness to be just like Windows XP. It succeeds there as well, only to a fault.

The GUI administration interface is nothing more than KDE's Control Center, which is hardly adequate. This means that when one wants to do any serious tweaking, one will be using the shell and editing configuration files manually, which is exactly what you don't want novices to have to do.

There is a services management dialog in the Control Center, but it only lists a few services, and it only offers "Automatic" and "Manual" options for them to be started. To minimize the system, either for performance or security, it's necessary to uninstall an unnecessary service using the Xandros Networks package manager, or manually edit the boot scripts in /etc/init.d, which, again, is too much to ask of a novice.

Services - Control Centre

Some of the best KDE packages are missing: Krusader, KMplayer, Kpackage, Ksnuffle, KBear, KGet, and KGpg to mention a few. KMail is available, but not installed by default. Ditto for the Gimp and GCC.

The distro also lacks such useful packages as Ethereal, Webmin, GnuPG, Whois, Xchat, Licq, Gaim, and Bastille. There is a packet filter front-end called Firestarter, but it is not installed by default, and when it is installed, it's not integrated with the start menu, making it necessary for the user to search for the binary and launch it. It's also rather complicated for a novice to use, with numerous options, and lacks the hardening features of Bastille, which is both simpler and better.

There's a serious lack of attention to encryption and data hygiene. It's very easy to integrate GnuPG with KMail; unfortunately, GnuPG and KGpg are not included. It's also easy to integrate GnuPG with Mozilla Mail using a recent feature called Enigmail, though the Mozilla version (1.4) packaged with Xandros lacks it. The Shred utility is included, but it's not integrated with the file browser. The right-click menu and menu bar offer only to delete a file, not remove it securely. Shred must be run from the shell, which, again, is a bit much for novices.

But the real security problem in Xandros is precisely the Windows affliction: too many networking services are enabled by default. This is done to make everything easy for the user; but 'easy' and 'simple' are two very different things. Just as Microsoft enables all sorts of superfluous networking whistles and bells that don't belong on an Internet-connected box, so does Xandros. A quick check with Netstat, immediately following a default installation, reveals a problem familiar to all Windows users:

Shell - Console

Here we've got SLP (Service Location Protocol), IPP (Internet Printing Protocol), SunRPC (portmap) and NetBIOS active. As we saw in the services interface, NFS (Network File System), and Samba (SMB) are enabled by default. These are all handy items, but risky on the Internet. They should all be disabled by default and enabled only as needed.

Thus Xandros is like Windows XP in the worst way possible: it makes dangerous "features" available to everyone whether they need them or not, so that using them will be easy, while neglecting to consider the routes to exploitation that they open. And like Windows XP, Xandros doesn't enable packet filtering by default.

The user can uninstall Samba, SLP, SunRPC (portmap) and other horrors like Telnet with the Xandros Networks package manager, assuming they know enough to do so. To eliminate IPP, one must navigate to /etc/cups/cupsd.conf and edit the file manually, which is more hackery than I would expect a Linux novice to be capable of.

Like Microsoft, Xandros has placed far too much emphasis on features and ease of use, trying to be all things to all people, and far too little emphasis on security. An experienced Linux user can harden it and simplify it nicely, and find and install the additional packages he needs; but the novice will have little hope of doing so. You need to be a power user to make Windows reasonably secure. The same is true of Xandros, although, among Linux distros, it is a rare exception in that regard.

I would not recommend it; it's far too inflexible for power users, and a bit too dangerous for novices. The boxed deluxe edition, which I tested, costs $90, a reasonable price only because Crossover Office is included. For the same price one can get an immensely more servicable 'Pro' distro from Mandrake or SuSE, though Crossover will be extra. ®

Reducing security risks from open source software

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Captain Kirk sets phaser to SLAUGHTER after trying new Facebook app
William Shatner less-than-impressed by Zuck's celebrity-only app
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.