On Tue, Jul 18, 2000 at 12:59:47PM +0900, Olaf Meeuwissen wrote:
> Dear Debians,
>
> I'm looking for any kind of info on vulnerability to viruses on Debian
> and/or Linux. Pointers to anti-virus programs are also very welcome.
>
> If I can't convince some people here at work, I'm about to be told to
> disconnect from the net or use (heaven forbid!) Windows for any kind
> of internet activity beyond our firewall. And that seems to include
> sending email like this to the list. Gack!
In the better-late-than-sober dept.:
o Concur on the complete absence of Linux viruses *in a practical
sense*. Yes, Bliss and one, possibly two, proof-of-concept viruses
have been reported. As a practical matter, however, viruses are
*not* a security/integrity concern with Linux.
o For an unbiased, third-party perspective, go to the anti-virus
software vendors themselves. They maintain comprehensive lists of
known viruses, as well as general resources, virus-related FAQs, etc.
There is some concern that these vendors *overstate* the virus threat
in general (implicit business concern). Yet there is little to
suggest that there is a credible threat to Linux. Norton/Symantec,
MacAfee, F-Secure, etc.
o Check also general sources for virus-related information. Including
'Web search engines (Google, Alta Vista, Lycos), Usenet (Deja), etc.
A search at Google for "linux virus" turns up a MacAfee
announcement, and a ZDNet article discussing a Russian company's
announcement of a Linux market with discussion reflecting many of the
issues I raise here.
o Linux is *not* immune from "worms" of the type that plague Microsoft
systems, particularly through email interfaces, *if vendors and
developers start writing clients and software which run untrusted
applications without user intervention*. While Microsoft Outlook
("the security hole that happens to be an email client" -- Stephen
Vaughan-Nichols) doesn't infest Linux, an application with similar
capabilities could introduce similar security concerns. While the
Linux user / file permissions security model provides some
protection, individual users could destroy, damage, or compromise
data confidentiality. The fact that there is a *tradition* of not
adopting unsafe data practices doesn't mean that bad habits can't
develop. This is, however, an application-layer transmission vector
issue, and not specific to the Linux OS itself.
On a related note, it appears that StarOffice and/or Eazel may be
headed in the direction of automated association of filetypes with
applications. I asked about this at the StarOffice demo at this
week's O'Reilly Open Source Conference, specifically WRT
MS Outlook-style VBA macro exploits. I'm not convinced that SOffice
won't repeat these accidents of design, and would caution adoption of
it as a mail client until this issue is clarified.
o System security is a multi-faceted issue, and should be evaluated
_en toto_, not with respect to a single factor. There are known areas
in which Linux tends to suffer holes (primarily: service-related
exploits, buffer exploits, and user-related behaviors with poor
security practices). The same or substantively similar issues
affect proprietary Unices and WindowsNT, and are best addressed
by a thorough understanding and audit of your systems and services
required and provided. Any security-related objections raised against
introduction of Linux should reflect actual threats, and not fantasy.
In light of magnitude of the real threat to Windows vs. Linux from
viruses, the objection raised by management lies somewhere between
ill-informed and intentionally obstructionist. The first condition may
be remediable. In the event of the second, there are more and more firms
looking for skilled Linux experience, I'd suggest you start shopping
yourself where you *are* wanted.
--
Karsten M. Self <kmself@ix.netcom.com> http://www.netcom.com/~kmself
Evangelist, Opensales, Inc. http://www.opensales.org
What part of "Gestalt" don't you understand? Debian GNU/Linux rocks!
http://gestalt-system.sourceforge.net/ K5: http://www.kuro5hin.org
GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0
Attachment:
pgp17XDoioY_J.pgp
Description: PGP signature