Slashdot Mirror

← Back to Stories (view on slashdot.org)

Desktop Linux Sliding in Under the Radar?

Posted by Cliff on from the stealth-penguinistas dept.

Paul Johnson asks: "This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications, but there is a wider issue. At present the 'official' penetration of Linux into the desktop market is something around 1%. The writer of this article doesn't give figures, but it sounds like he may have stumbled on several times that percentage of desktop Linux installations. If so then this is an important trend. Linux got its foot in the datacentre door in exactly the same way a few years ago, with unofficial installations doing odd server jobs. If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"

22 of 742 comments (clear)

  1. I'm not a sysadmin by SquadBoy · · Score: 4, Informative

    but rather a network guy but I have 3 Linux boxen that MIS does not know about and the dept laptop is booted with a Knoppix CD about %90 of the time.

    --

    Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
  2. Re:Nope, not here by RoundTop-VJAS · · Score: 2, Informative

    Speaking as someone who works for a company that does systems for hospitals... I can say that there is normally a reason that we require X windows OS. Normally it is for remote access, or certain features, or it must run certain software.

    This effectively prevents linux replacement. Also of note, these NT boxes are secured down so only admins have access to even the start menu, everyone else it opens the program only and when you close it it closes it out.

    --
    RoundTop

  3. "Insecure" Linux, Cygwin and RedHat by MyHair · · Score: 4, Informative

    I can see how security might be lax. When I was new to Linux I enabled everything whether I needed it or not. I figured I'd get around to playing with bind, sendmail and ftpd sooner or later. Everyone I know who's tried Linux has only dipped his toe in, so to speak.

    Now I know more and have played enough that I disable everything except what I need, make sure it's secure and then put up a firewall just to be sure. But heck, just the other day I realized I hadn't apt-get update'd and apt-get upgrade'd in a couple of months. Oops. I also had weak passwords until about a month ago.

    I'm in a non-tech company, and the Linux penetration is well below 1%. Only one desktop--a dual-boot laptop--as far as I know (except when I boot up KNOPPIX), but I have three rouge servers of my own. (Squid, Nessus, nmap and Snort are my friends.)

    I also have two Cygwin installs, but they're my workstations, not user PCs. Anyone seeing those on desktops yet?

    In this article the guy chose RedHat. If you don't care for commercial support, why would you choose RedHat over Debian or Slackware? Especially if security is a concern.

  4. Live Linux CD's by niko9 · · Score: 2, Informative

    I wonder how many people boot Live Linux Distro's like Knoppix, and reboot into whatever is installed (NT, XP, Win2k)when they only really have to.

    As a ardernt Linux user, I would just change the BIOS settings to boot from CD first, and pop in Knoppix, or leave the CD-ROM tray empty when I wanted to use windows. No one in IT would need to know what I was upto.

    New York City 911 EMS: When you absolutley, positivley cannot call a cab for your toothache

  5. Not on the network?! by Anonymous Coward · · Score: 1, Informative

    My company has quite a large LAN with at least 20,000 Windows NT/200 PC's. There are some SGI machines floating around for specialized jobs...but for %99.9 of people involved Microsoft is the only machine allowed to be connected to the network.

    And the sysadmins keep it that way. >:(

    Well...this naturally sucks if you are an engineer and need something that fits: "I can make this with things I already have...for FREE!".

    I currently have Slackware 9.0, w/ Apache, MySQL running for a development program I am writing in PHP. It works well on the *spare* PC (read: old and nobody wants)...but as all computers it will be forever limited as it can only talk to 127.0.0.1.

  6. Re:Does this count? by netsharc · · Score: 4, Informative

    Well one advantage I can think of is: no need to worry about applying MS security patches to those 60 machines.. just one central server to fix, and to break itself every few hours.

    --
    What time is it/will be over there? Check with my iPhone app!
  7. Re:Not exactly ... by Jeremiah+Cornelius · · Score: 4, Informative
    This has been going on for YEARS. I was doing so at Schwab in '97 - and reading "Chips and Dips" and "Rob Malda's Window Maker Site".

    I got about 4 or 5 of the Unx admins and a good number of the DBS'a doing this too.

    In small shops - we had 6 Linux desktops running at the Multi-Media Developer I worked at in '94. XFree on ATI Mach32, anyone?

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  8. Re:Don't reinstall - boot linux from another disk by joelgrimes · · Score: 4, Informative

    Very true. It's the coolest thing. Get yourself a $50 keychain drive and make it your persistent storage.

    Then, no matter where you go, any machine you can get your hands on your machine.

    --
    Textbooks and Open Educational Resources
  9. Re:This is unexpected? by Archfeld · · Score: 3, Informative

    how can it be spy-ware when IT IS THEIR BOXEN ? The one thing in our enterprise that MUST be present to access ANY shared resource is the Tivoli agent with the config checksum matching, much with it and you don't get anything from the network. Don't get me wrong I hate the crap too but it IS a place of employment....

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
  10. Re:yep... by bfree · · Score: 2, Informative

    Just because you can only boot from the HDD doesn't mean you cannot install anything you want! You just have to work around the problem. For example you could use VMWare to boot your distro and then install to the real hard disk. Alternatively you could simply use rawrite to overwrite the mbr (tricky to construct your mbr ... but possible). Now if your OS that you can boot from won't let you access the mbr and the raw disk, then you'll just have to whip out the hard disk to do your installing and then return it.

    Bottom line is that yes, every desktop in a large install should be secured both physically and through software to prevent the users from modifying anything non-trivial.

    As for personal experiences, I have owned "stealth" linux installs and a good friend of mine who works for one of the largest ISPs in Ireland has one, as he has told me do many others throughout the company.

    --

    Never underestimate the dark side of the Source

  11. Installed Linux under my desk by harryk · · Score: 2, Informative

    While I believe myself to have some linux background, when I first started my current job, I went straight down to the LAN team (I started in desktop support, which still blows) and asked for any workstations that still turned on, and that were being thrown away to be sent to my cube. By the end of the week, I had 4 p2/333 with 128mb each. I brought in a 10/100 switch (5port) and started cranking away at installing openmosix.

    Before I knew it, I had Samba installed, MRTG, and was sniffing anything that came accross the network. A few weeks into, after compressing all my CDs (And a few others) using the openmosix cluster, someone asked me if they could install some software for testing, before you know it (right now in fact) I'm lead tech in a project to bring linux file servers to our clients instead of pushing the Win2k3 servers. Samba is working great as a replacement for the Win2k/2k3 servers that are in our market place.

    I think its great, and it simply started by asking for junk hardware.

    --
    think before you write, it'll save me moderator points.
  12. Ignoring the standard MS shot... by el-spectre · · Score: 5, Informative

    The point is, a sysadmin can patch and update winders machines remotely and en masse. If he doesn't know about the linux machine, then he obviously has a hole in his security plan.

    --
    "Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
  13. Re:I've done this by amblin · · Score: 2, Informative

    Just in case you didn't already know...
    Novell Client for Linux

  14. Re:Does this count? by Anonymous Coward · · Score: 2, Informative

    Each department has it's own TS+PDC, Samba box(Auth off PDC) for long-term storage

    Each TS is 2-way Athlon 1600MP+2Gig+6diskRAID10 - 10 users supported quite happily.

    TS's were NT4, but new printers came along without NT4 (supported) drivers...

    At least we only had 5 servers to upgrade...the rest of the infrastructure magically changed (apparent) OS...sweet!

  15. This IS the 1% by pelorus · · Score: 2, Informative

    I'd love to know where they get this 1% from anyway.

    Last big company worked for there were maybe 150 people with Linux installed at the desk. Out of 96 thousand employees.

    I'd REALLY like to know where they get the 1% figure from. (looks at the boxed, downloaded and magazine-front Linux CDs on the shelf and his ZERO Linux installations)

  16. Re:I'm under the radar by sonpal · · Score: 2, Informative
    FYI, the ethernet hub policy is correct, although dated. Ethernet has a maximum distance that you cannot exceed... hubs work at a low level and simply connect all the devices to the same "bus". After the bus reaches a certain maximum length, collision detect no longer works, and you have random denial-of-service on the entire bus.

    Ethernet switches are different. They work at a higher level and actually process the packets. This lets them direct packets between various ports as well as allow for unlimited cascading. We noticed problems with ethernet hubs when we deployed them at my University in the mid-90's. Faculty members would decide to connect hubs to their network outlets and entire departments would lose connectivity when we tried to bring a different section of the building online.

  17. Re:ARGHGHG!! There's no such word as "boxen"!!! by 1u3hr · · Score: 2, Informative
    boxen = German-style plural for "box"

    I thought it was in analogy with ox/oxen (which comes from Old English, so in the same family as German). It's easier to pronounce -xen than -xes endings, so rather a shame it's not in more general use.

  18. History Repeats Itself (again...) by Anonymous Coward · · Score: 2, Informative

    In the 80's, IT departments were concerend about the deployment of Personal Computers without IT knowledge or approval.

    In the 90's, it was departmental servers. First on NetWare, then on Windows NT.

    Today, it's wireless networks, cr^h^hblackberry devices, and (you guessed it) Linux.

    Anyone see a trend? What's deployed behind the backs of the IT department today is often an intergal part of the computing environment tomorrow.

  19. Re:Not exactly ... by captainfugacity · · Score: 2, Informative

    Actually that's how it is in most companies that have anyone half competent. I'm sysadmin with a real engineering degree, the engineering degree is used more than the sysadmin hat. Everyone on my network is an engineer or scientist. there is NO WAY i would let these people install their own OS, and we are a small house. At the medium sized engineering firm I was at before this, installing your own OS was a termination offense. Having a pHD and years of experience in field doesn't make you some 3l33t3 4u43 with computers. If a user needed that linux partition they should have come to me first. When you call me a bureacratic fool to the VP because I overwrote it, I will calmly explain to him that your actions put us at risk for a hacker to compromise our systems and steal our exposed IP, or allow a disgruntled employee to steal the VPs email. The VP will calm you down and be polite and tell you to put up with the rules and ask IT to install any operating systems you need. IT will have Root on that box. Then he'll privately tell me that he knows you're being arrogant and that security of IP is priority number one and I should come to him if anyone else is putting the future of the company at risk. "Operating on the premise that all staff are luddites, criminals, or not to be trusted..." Go work some time at an IT helpdesk and you'll realize that this is a good assumption.

  20. You didn't forget about Cygwin, did you? by EvilNight · · Score: 2, Informative

    It's a bit difficult for a corporate user to get away with flat out installing Linux on his box, as that sort of thing shows up rather quickly in security audits.

    Where I work, we have 3 or 4 developers who use Linux. They requested it when hired, and other than making sure they don't have rogue DHCP servers screwing up our networks, we have a hands-off policy where we don't officially support the box because it's not Windows. Unofficially I help them all the time, of course. ;)

    What gets me is Cygwin. The last time I ran a software audit, I checked for Cygwin just for a goof. HALF THE COMPANY (that's 50 people) has Cygwin installed. Well, why not? It lets you comply with management's wishes for a Windows world, but still gives you the lion's share of Linux's power. If you count Cygwin I'll wager you'll find the 1% figure to be much lower than reality.

    Of course, if you're comfortable with Cygwin, switching to Linux is that much easier.

    --
    Hell is being intelligent in a world full of idiots.
  21. Re:Not exactly ... by BrokenHalo · · Score: 2, Informative
    Hmmm. You seem to agree with much of what I was saying:

    [snip]We implemented a filter file for the proxy and traffic went from ~97% down to ~30% utilization.

    That is exactly what I was talking about when I mentioned applying appropriate security and traffic measures. I fail to see any difference accruing to the user's choice of platform.

    [snip]You go back to being a scientist and I'll go back to saving people like you from yourselves with your lack of understanding regarding the need for real security policy.

    FYI, I spent 15 years as a systems programmer specialising in security before I jumped fields into biotech, so I believe I have a claim to know what I'm talking about :-) and IIRC just about every major Linux distribution I have come across is arguably more secure by default than Windows can be with a lot of tweaking from sysadmins.

    Ultimately, though, security should be applied at the network level, particularly if, as you say, you can't trust your users.

  22. Re:Not exactly ... by grmoc · · Score: 4, Informative

    Unfortuantely a lot of management/business types really DON'T understand sunk cost.

    You should buy something you want to use.
    Using something simply because you bought it is moronic.

    The waste happens on the purchasing side, not the usage side.

    This is not a 'geek' view, this is a good economist/businessperson's view, and for anyone who disagrees with it, here is a good example.

    You're stuck on a desert island. You knew you would be stuck here. TO prepare for being stuck here, you bought some cyanide-based glue (i.e. superglue). Your major problem is that there is no food on the island. Do you
    1) Eat the cyanide-based glue
    2) Don't eat the cyanide-based glue

    The "Well, it would be going to waste if I don't eat it" argument obviously doesn't work here. If you don't get the right tool for the job, you shouldn't be forced to use it-- The damage is already done, no need to exacerbate it.