XandrosOS: User-friendly to a fault

Linux with all the drawbacks of Windows

  • alert
  • submit to reddit

Build a business case: developing custom apps

Reg Review XandrosOS is a good-looking, Debian-based Linux distro designed to lure Windows XP users. It's exceptionally easy to install and use, has good hardware and peripheral detection and good multimedia support, offers Windows networking compatibility, saves one money -- and the desktop, a tweaked version of KDE, even looks like XP to boot.

The documentation is good and covers all the main points of system configuration and administration in adequate detail.

Xandros wisely includes Crossover Office, an emulator enabling one to install and use Microsoft Office on Linux. This is good for Excel and Word, but the idea of using MS Outlook, even on Linux, concerns me from a security point of view. It would be wise for Xandros to include Ximian Evolution, which is safer than Outlook, looks like it, and works just as well, and encourage users to chuck Outlook in favor of it. People can use Excel and Word happily with Crossover Office, but Outlook, and (heaven forbid) Internet Explorer don't belong on any computer.

The default browser and e-mail client are Mozilla and Mozilla Mail, an excellent choice. Mozilla is free and open-source, and gives the user good control over script execution, images and popups, and data traces -- far above the mediocre baselines established by Internet Explorer and Outlook Express.

The Xandros file browser is a heavily-tweaked version of Konqueror. It's been designed to look like Windows Explorer and has contracted Microsoft's terminal case of My-itis: My Linux, My Documents, My Home, etc. But this is reasonable; the whole idea here is a Linux box that will seem familiar to Windows users.


Just like old times. However, navigating from the shell can be a problem since a number of directories have been re-named to conform with Redmond's august conventions. Still, Krusader is a good file manager / Web browser / sort-of FTP client, and Xandros' version can easily be configured for a bit less Redmond emulation and a bit more serious business.

The package manager, called Xandros Networks, is good, allowing for both DEB and RPM installations. It will automatically check dependencies when packages are installed, though silently. It can also automatically fetch package updates from the Xandros server.

Xandros succeeds in ease of installation and ease of use. A Linux novice can get it up and running without bother. Indeed, the press release for reviewers urges one not to compare it with Linux, but with Windows XP. But there's actually a bit of unintended irony in that: Xandros does compare favorably with Windows XP; it's only in comparison to a solid Linux distro that it falls on its face.

There are a number of problems, most of which are related to its eagerness to be just like Windows XP. It succeeds there as well, only to a fault.

The GUI administration interface is nothing more than KDE's Control Center, which is hardly adequate. This means that when one wants to do any serious tweaking, one will be using the shell and editing configuration files manually, which is exactly what you don't want novices to have to do.

There is a services management dialog in the Control Center, but it only lists a few services, and it only offers "Automatic" and "Manual" options for them to be started. To minimize the system, either for performance or security, it's necessary to uninstall an unnecessary service using the Xandros Networks package manager, or manually edit the boot scripts in /etc/init.d, which, again, is too much to ask of a novice.

Services - Control Centre

Some of the best KDE packages are missing: Krusader, KMplayer, Kpackage, Ksnuffle, KBear, KGet, and KGpg to mention a few. KMail is available, but not installed by default. Ditto for the Gimp and GCC.

The distro also lacks such useful packages as Ethereal, Webmin, GnuPG, Whois, Xchat, Licq, Gaim, and Bastille. There is a packet filter front-end called Firestarter, but it is not installed by default, and when it is installed, it's not integrated with the start menu, making it necessary for the user to search for the binary and launch it. It's also rather complicated for a novice to use, with numerous options, and lacks the hardening features of Bastille, which is both simpler and better.

There's a serious lack of attention to encryption and data hygiene. It's very easy to integrate GnuPG with KMail; unfortunately, GnuPG and KGpg are not included. It's also easy to integrate GnuPG with Mozilla Mail using a recent feature called Enigmail, though the Mozilla version (1.4) packaged with Xandros lacks it. The Shred utility is included, but it's not integrated with the file browser. The right-click menu and menu bar offer only to delete a file, not remove it securely. Shred must be run from the shell, which, again, is a bit much for novices.

But the real security problem in Xandros is precisely the Windows affliction: too many networking services are enabled by default. This is done to make everything easy for the user; but 'easy' and 'simple' are two very different things. Just as Microsoft enables all sorts of superfluous networking whistles and bells that don't belong on an Internet-connected box, so does Xandros. A quick check with Netstat, immediately following a default installation, reveals a problem familiar to all Windows users:

Shell - Console

Here we've got SLP (Service Location Protocol), IPP (Internet Printing Protocol), SunRPC (portmap) and NetBIOS active. As we saw in the services interface, NFS (Network File System), and Samba (SMB) are enabled by default. These are all handy items, but risky on the Internet. They should all be disabled by default and enabled only as needed.

Thus Xandros is like Windows XP in the worst way possible: it makes dangerous "features" available to everyone whether they need them or not, so that using them will be easy, while neglecting to consider the routes to exploitation that they open. And like Windows XP, Xandros doesn't enable packet filtering by default.

The user can uninstall Samba, SLP, SunRPC (portmap) and other horrors like Telnet with the Xandros Networks package manager, assuming they know enough to do so. To eliminate IPP, one must navigate to /etc/cups/cupsd.conf and edit the file manually, which is more hackery than I would expect a Linux novice to be capable of.

Like Microsoft, Xandros has placed far too much emphasis on features and ease of use, trying to be all things to all people, and far too little emphasis on security. An experienced Linux user can harden it and simplify it nicely, and find and install the additional packages he needs; but the novice will have little hope of doing so. You need to be a power user to make Windows reasonably secure. The same is true of Xandros, although, among Linux distros, it is a rare exception in that regard.

I would not recommend it; it's far too inflexible for power users, and a bit too dangerous for novices. The boxed deluxe edition, which I tested, costs $90, a reasonable price only because Crossover Office is included. For the same price one can get an immensely more servicable 'Pro' distro from Mandrake or SuSE, though Crossover will be extra. ®

Maximizing your infrastructure through virtualization

More from The Register

next story
Whoah! How many Google Play apps want to read your texts?
Google's app permissions far too lax – security firm survey
Chrome browser has been DRAINING PC batteries for YEARS
Google is only now fixing ancient, energy-sapping bug
Do YOU work at Microsoft? Um. Are you SURE about that?
Nokia and marketing types first to get the bullet, says report
Microsoft takes on Chromebook with low-cost Windows laptops
Redmond's chief salesman: We're taking 'hard' decisions
EU dons gloves, pokes Google's deals with Android mobe makers
El Reg cops a squint at investigatory letters
Big Blue Apple: IBM to sell iPads, iPhones to enterprises
iOS/2 gear loaded with apps for big biz ... uh oh BlackBerry
OpenWRT gets native IPv6 slurping in major refresh
Also faster init and a new packages system
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.