on Wed, Nov 26, 2003 at 12:07:05AM -0800, Tom (tb.31123.nospam@comcast.net) wrote:
> > Paul Johnson wrote:
> > >Non-issue if you don't use Windows.
>
> This is totally piling on, but given this recent security compromise,
> I think the whole Linux community needs to reevaluate its "can't
> happen here" mentality.
Preface: Paul's response was, IMO, somewhat unwarranted. It's
technically correct: if you're not worried about dealing with legacy MS
Windows users, you don't need to worry about viruses for GNU/Linux.
However, since GNU/Linux makes such an excellent platform for providing
web, proxy, email, file, print, data, and other services for legacy MS
Windows systems, there _are_ people with a valid interest in
virus-scanning solutions, targeting *Microsoft* viruses, but running on
GNU/Linux.
A few items:
- Yes, security matters.
- The Debian project compromise, by available (and some unavailable)
information wasn't a virus. While a full report is forthcoming, the
general outline appears to be that a Debian developer's system was
compromised (how exactly isn't clear), the SuckIT rootkit installed
on his system (this is a particularly nefarious kernel-space rootkit
which leaves no filespace evidence, though it can be detected by
looking at /proc files), and from there, several Debian servers
accessed. Keyloggers, common passwords (you *really* shouldn't
re-use passwords on different systems), and some other bad habits
factored in heavily.
- Specifically: it doesn't appear that there was a virus or worm
component to the exploit(s) (though my information is incomplete and
analysis remains underway) -- key defining point that one system was
compromised and automatically propagated the compromise to others.
Rather, social and/or technical cracking techniques were applied, a
rootkit used to leverage the exploit, and guided analysis used to
then target Debian Project (and possibly other) systems for further
compromise.
Contrast this to, say, the Microsoft Slammer worm, in which a 376
byte UDP packet saturated the _entire_ Internet within 10-15 minutes,
or the Swen and SoBig worms, which dumped thousands, or tens of
thousand, or hundreds of thousands of emails daily on individuals and
sites.
GNU/Linux has a security profile. It's generally markedly different
from legacy MS Windows. Best bet: focus on the actual threats
_your_ environment faces.
- Yes, I expect the security picture regarding GNU/Linux to worsen as
more users adopt the platform. I don't think viruses and worms, as
commonly defined, will characterize the problem. Rather, it's going
to be poorly administered boxes and bad security practices writ
large.
> I don't care if its social engineering or I-Love-You, if the world
> comes to an end, that's A Bad Thing.
There are few attacks on GNU/Linux, *BSD, or proprietary unices which
are of the "world comes to an end" variety. Most (but not all) software
is designed with security in mind, the overall architecture is radically
different from legacy MS Windows, and even in wide adoption, the
environment is likely to be far more heterogeneous than the current Win32
monoculture.
> It's only going to get worse as Linux gets more popular. There were
> dozens of Microsoft disasters before the mainstream press and the
> general public noticed.
And the response to these has been to thumb the dike. Leaks have been
plugged, but the overall infrastructure hasn't been overhauled. And
it's this infrastructure which is the problem: little privilege
separation, pervasive cross-application scripting, commingling of "code"
and "data", deeply pathological complex relationships between
applications and OS making patching tedious and error prone, and a
highly uniform OS and applications base, which lead to the problems.
Compounded heavily by a culture which didn't "get security" until the
past two years, despite repeated and significant warnings that this is
and would be a worsening problem.
By contrast, the free software community operates on a basis of full and
timely disclosure, preemptive security measures (code audits, several
independent hardening efforts from OpenBSD to SELinux), and in general
takes security seriously. Not always seriously enough, but if there is
a problem people speak up about it. And there aren't (yet) $6 billion
marketing budgets to plaster over the disturbance. Most major distros
now have systems which greatly facilitate the updating of systems,
Debian more so than most.
> Linux is long overdue for a major security black eye. It's going to
> suck when it happens.
There will be problems. There have been problems. They will likely be
largely localized (affecting a subset of users and systems), disclosed
fully, and rapidly patched and/or addressed. It's possible that
popularization of GNU/Linux will eventually take it beyond the sensible
design roots it's historically been based in (and I see some warning
signs). But for the most part, engineers, not marketers, have final
say, and tend to address problems.
> I think all Linux devs, from Linus on down, need to stop and think
> very seriously about what can be done to preemptively mitigate the
> inevitable embarrassments which are sure to come (soon).
I think that many do. I think your fears are somewhat misplaced.
The advice is still valid.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
ARM Computer: Customer Service Hell On Earth
http://lists.svlug.org/pipermail/svlug/2001-November/038616.html
Attachment:
pgpxMydXDlcOO.pgp
Description: PGP signature