[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Q] virus susceptibility data

On Tue, Jul 18, 2000 at 12:59:47PM +0900, Olaf Meeuwissen wrote:
> Dear Debians,
> I'm looking for any kind of info on vulnerability to viruses on Debian
> and/or Linux.  Pointers to anti-virus programs are also very welcome.
> If I can't convince some people here at work, I'm about to be told to
> disconnect from the net or use (heaven forbid!) Windows for any kind
> of internet activity beyond our firewall.  And that seems to include
> sending email like this to the list.  Gack!

In the better-late-than-sober dept.:

 o Concur on the complete absence of Linux viruses *in a practical
   sense*.  Yes, Bliss and one, possibly two, proof-of-concept viruses
   have been reported.  As a practical matter, however, viruses are
   *not* a security/integrity concern with Linux.

 o For an unbiased, third-party perspective, go to the anti-virus
   software vendors themselves.  They maintain comprehensive lists of
   known viruses, as well as general resources, virus-related FAQs, etc.
   There is some concern that these vendors *overstate* the virus threat
   in general (implicit business concern).  Yet there is little to
   suggest that there is a credible threat to Linux.  Norton/Symantec,
   MacAfee, F-Secure, etc.

 o Check also general sources for virus-related information.  Including
   'Web search engines (Google, Alta Vista, Lycos), Usenet (Deja), etc.
   A search at Google for "linux virus" turns up a MacAfee
   announcement, and a ZDNet article discussing a Russian company's
   announcement of a Linux market with discussion reflecting many of the
   issues I raise here.

 o Linux is *not* immune from "worms" of the type that plague Microsoft
   systems, particularly through email interfaces, *if vendors and
   developers start writing clients and software which run untrusted
   applications without user intervention*.  While Microsoft Outlook
   ("the security hole that happens to be an email client" -- Stephen
   Vaughan-Nichols) doesn't infest Linux, an application with similar
   capabilities could introduce similar security concerns.  While the
   Linux user / file permissions security model provides some
   protection, individual users could destroy, damage, or compromise 
   data confidentiality.  The fact that there is a *tradition* of not
   adopting unsafe data practices doesn't mean that bad habits can't
   develop.  This is, however, an application-layer transmission vector
   issue, and not specific to the Linux OS itself.

   On a related note, it appears that StarOffice and/or Eazel may be
   headed in the direction of automated association of filetypes with
   applications.  I asked about this at the StarOffice demo at this
   week's O'Reilly Open Source Conference, specifically WRT 
   MS Outlook-style VBA macro exploits.  I'm not convinced that SOffice
   won't repeat these accidents of design, and would caution adoption of
   it as a mail client until this issue is clarified.

 o System security is a multi-faceted issue, and should be evaluated
   _en toto_, not with respect to a single factor.  There are known areas
   in which Linux tends to suffer holes (primarily: service-related
   exploits, buffer exploits, and user-related behaviors with poor
   security practices).  The same or substantively similar issues
   affect proprietary Unices and WindowsNT, and are best addressed
   by a thorough understanding and audit of your systems and services
   required and provided.  Any security-related objections raised against
   introduction of Linux should reflect actual threats, and not fantasy.

In light of magnitude of the real threat to Windows vs. Linux from
viruses, the objection raised by management lies somewhere between
ill-informed and intentionally obstructionist.  The first condition may
be remediable.  In the event of the second, there are more and more firms
looking for skilled Linux experience, I'd suggest you start shopping
yourself where you *are* wanted.

Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Opensales, Inc.                    http://www.opensales.org
  What part of "Gestalt" don't you understand?   Debian GNU/Linux rocks!
   http://gestalt-system.sourceforge.net/    K5: http://www.kuro5hin.org
GPG fingerprint: F932 8B25 5FDD 2528 D595 DC61 3847 889F 55F2 B9B0

Attachment: pgp17XDoioY_J.pgp
Description: PGP signature

Reply to: