Slashdot Mirror
Desktop Linux Sliding in Under the Radar?
Paul Johnson asks: "This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications, but there is a wider issue. At present the 'official' penetration of Linux into the desktop market is something around 1%. The writer of this article doesn't give figures, but it sounds like he may have stumbled on several times that percentage of desktop Linux installations. If so then this is an important trend. Linux got its foot in the datacentre door in exactly the same way a few years ago, with unofficial installations doing odd server jobs.
If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"
"This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications,..."
This could make the case for desktop Linux look worse, if people are not securing their dektops and/or keeping up with security updates.
I have a hard time getting my company to purchase anything beyond the minimum tools I need (NuMega and similar were out of my pocket, since I didn't mind owning them myself). VMWare's been on the wish list - but only as a wish.
I write code.
In truth beyond the server farms ive worked with at said companies the only person possessing any *nix varient has been myself (including mac os X...) While i can see this as being an occasional happening in dorkier companies... even then i find it not very likely.
mainly because buisness use predominataly revolves around outlook exchange's shared meetings and various other stupid stuff.... in addition to the baseline ease of use (overall managerialy) network administration of an all windows environment.
I would NEVER support a linux desktop distro amongst my users.... MAC OS X ... yes.... but not Linux for any reason on gods green earth... can you say nightmare? I love Linux.... but it just is NOWHERE near as streamlined as windows or macintosh... especialy from a support stance.
My personal feelings are *nix for network devices.... Windows server/client for data sharing email and so on.... and Mac os X for end users who are more inclined towards media production (basicly people who arent finance/sales).
This setup puts the *nix boxes in my realm... and id be greatfull that no unwitting user *accidently* installs another DHCP, DNS, SMTP, etc... server on my network. Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use.... or how to fix their freakin window manager because KDE offers 5 different programs just to change the layout/widgets.... no thank you.
Of course this poster assumes that the people who do so, do so knowing people like myself wont support them... and more than likely will be highly un-happy with their network being potentialy compromised...
not trying to spread FUD.... but ill wait for a tighter distro before i promote *nix on the desktop.... only one so far (with flying colors) is OSX.
--Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
Yes, and that is exactly why they are asking for other sysadmin's experiences. Got it?
Signature deleted by lameness filter.
I used to be a manager at Dell, and I can tell you that if you had presumed to format one of my or my developers machines without first getting authorization from me, you'd be fired and "walked out of the building" the following day.
Maybe the authorization got misrouted.
Maybe you are wrong about either the authorization or the requirement for it.
Maybe it was an experiment on a dept. system.
Maybe it wasn't hooked to the network.
Maybe we were testing the system's Linux compatibility at the end of the day and left it 'till the morning to finish.
In my tenure at Dell, all these things were true at some point or another, and no one formatted our systems. We were too busy to get in the pissing matches that would have started.
Certainly you should quit abusing your very limited power and try to help rather than simply jumping to conclusions.
This is why IT is not consulted. Extreme prejudice indeed!
If end users are not supposed to do something it's your job to configure the gear so they can't. Rules forbidding something are a failure in IT.
If the user has no agent for the desktop license management how is that a problem exactly? Either they are not using any licensed software our your management software is not to hot on the managing front.
If you're running round playing tattle tale who do you think the finger is really pointing at? Go back to your sever room and lock the door.
-- search the web
We've gone so far as to restrict our switches by MAC address and no longer allow anyone in our network unless they tell us what OS they are running and have installed all the security updates.
Ok, I'm confused here. What exactly is extreme about limiting access to known MAC addresses? Any sprawling network where access to the backbone (i.e. wallplates) can't be controlled should do this. It's just common sense.
As for not allowing anyone on without them telling you what they have, how do you make sure they keep updating? Was it fine for people with WinXP boxen to join the network when XP was first released? Being "up to date on patches on 10/07/02" is great, but utterly meaningless if no patches have been installed since then. Having a required set of patches is nice, but having a good security policy is far better.
Of course, I've always wondered about college networks, since they seem to prefer sending nastygrams or denying access to users, rather than prevent users from doing those things. Want to stop shared folders, file sharing, worms?, set the switches to only allow traffic to pass completely through the switch, not between ports on the switch.
Besides, the average user has no need to be accessible from any other machine, and especially not from outside the local network. Use NAT, separate users from each other, and be done with it. If a user gets a virus/trojan/worm, f@*k-em, at least it won't spread through the network.
--That's the point of being root, you can do anything you want, even if it's stupid.
Installing Linux on their own is a bit much. My dreams are really simple - like I just have this button that shocks people and they just magicly get a clue - like why sending a 5 meg bitmap to a guy who accesses his email through a 28.8 modem is a dumb idea.
Actually in all honesty I wouldn't want people installing Linux on their own anyway. All users with admin priveleges? I don't know what kind of heaven you're going to, but count me out! =P
>> Last time I checked, there weren't any imminent linux virus threats.
.... and linux and BSD run about 50% of the mid-range servers....)
> That attitude works up until the world gets surprised by the first real nasty one.
should i even bother explaining why it is damn near the most unlikely thing to happen in IT ? or should i just point out that _if_ a virus ever hits a unix there would be open source anti-virus software within a few days ? (few months max) or point out that the unix type of OS is about 30 years old. and to date there havent been any virus's in the "wild". (and dont give me that "not attractive target" for virus writers crap either, unix still runs mainframes, bank computers, ATM's etc
se the wonderful thing about linux is you dont have to run a damn thing as root, and the few things you do have to run as root can be chroot'd so the virus/worm can't do diddley. some linux distros come like this by default.
>> Desktop license management? I thought linux was free.
> Perhaps, if your time is worthless. But anyhow, he was refering to license management for any potential commercial software they may have
> illicitly installed.
oh please. take your gartner studies (microsoft funded BTW) and shove em'. the amount of time it takes to install and optimally config a std. linux system is in the hours worth of time. admining that same install MIGHT take 30minutes per month. windows ? yeah friggin right, pick one of their OS's if you spend less than two hours per month admining that box its vulnerable. this argument is moot. since anyone who is going to install linux by choice obviously wasnt bugging the IT guys and hence didnt need to be trained, so there is no time lost their.
Linux is FREE to any person who knows what they are doing, simply because spending the few hours it takes to install free's them of the years of misery that lies behind them, and the years that would have laid ahead of them if they had still been running windows.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
If there's a box on his network that he doesn't know about then either he needs a new network analyzer or new networking people that know what they're doing. Not trying to be a jerk but you should know what is on your network and if you don't, then you're not paying attention and/or trying hard enough.
Carpe Canem - Seize the Dog
If you were actually any good at your jobs you should be asking why these people (who may or may not be risking their jobs) feel the need to install linux? What is it that the current policy doesn't provide? Why has sysadmin become so unapproachable that they did it without asking (this should be an easy one)?
Actually do something useful rather than wandering around the network marking your territory.
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
I think we are forgetting something fundamental here... the whole idea of policies and security with respect to installing rogue applications stems from the fact that Windows and Windows networks are so damn easy to completely break.
If I install a program as a user on my Linux box, or even in my user space on the departmental server... it has no effect WHATSOEVER on the rest of the server or the other users. Thats what a multi-user OS "is". You can't even TOUCH that with ANY Windows implementation.
This discussion is not about "Oh, I can break into any box and install Linux". Sure you can. There is no way to stop. Lock it up? pick the lock. Remove the floppy and cdrom? install one or do a network install via crossover cable and another box. Blah blah blah.
The idea is that Linux IS in far more places than people know. And it will only grow in the future. Will it supplant MS as the "King of the desktop"? Who the hell cares... but people have a choice now.. and they ARE choosing it.
-K.
I am not buying into this article for the fact that I've worked in large 'shops' of 2,000 workstations up to about 8,000. None of these shops would find, then allow a non-approved OS to continue to run on their networks. This type of thing is basic "Information Security did a weekly scan, found it, helpdesk siezed the machine and re-imaged it with Windows 2000" routine.
I used to agree with giving employees freedom to run whatever OS they are comfortable with, but you have to keep into consideration the Information Security view on things. A *nix OS with a few network tools installed, gcc, and some skills can lead to a lot of problems for the company.
Think that's silly? Think again. Think about doing technical support for bitter and unthankful lusers. Your boss is an asshole. You make $23k/year and missed your shot as an [insert engineer/developer position here] before the bubble popped. No hope for a future with the company since they have a revolving door system in place where 3/4 of the low-level staff is on temporary contracts that expire every 90-300 days.. I know, it's sad and I've seen a lot of talent from people stuck in these types of jobs and feel terrible for them. But, this is a common person in technical call centers. I've seen enough from that single profile to type pages, but I'll stop and save it for another post.
Do you trust this employee enough to let him run FreeBSD? You want him having direct access to the 'net without a proxy? I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits. What if he's okay but his box ended up getting owned because he downloaded bad BitchX source? That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical. That's the tip of the ice berg when it comes to what happens when your office gets owned. Even if workstations are usable, every workstation on the local subnet and server they have ports open to via the firewall have to be investigated. This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again. Somewhere around noon, the guy from Public Relations will likely be on the phone wanting to know what to tell CNN when he calls them back. Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share. That's potential millions depending on how big your company is.
Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax. I'm very pro-Linux/BSD, but not in an enviroment where it's not needed (All those workstations came with an OS you paid for anyway). I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.
My stories are actual events portrayed by actors.
I don't know about your company, but at my school (I was resident Geek), we set it up so that the DHCP server would automatically set the proxy up as a gateway. We never had any problem about people accessing the internet without going through a proxy.
And aren't the chances actually better of getting some form of backdoor greater for windows? Picking them up via email, bad downloads, even browser security flaws.
I see where having an unauthorized anything running could be a problem, but just linux in general, no, danger isn't in the software as much as it is in the hands of the user.
Stop the Slashdot effect! Don't read the articles!
In my case (I'm a scientist) I would be seriously inconvenienced if some pointy-headed bureaucratic fool came along and overwrote my Linux partitions with Windows, and my immediate reaction would be to take it up with his boss.
You seem to be operating on the premise that all staff are luddites, vandals or criminals and not to be trusted. I would have thought that, far from losing sleep over this, you should be pleased that this is one person who is not going to be passing out viruses via Lookout Express. In any base, as long as you implement sensible policies (firewalling, quotas or whatever you need to do) there is no reason why your network should not operate transparently without applying unnecessary restrictions.
I think most people are missing the point here. most, AND I MEAN MOST companies are not huge corporate giants running 3 flavors of oracle/informix/peoplesoft. in fact, most huge places still don't run windows. I have worked for 3 seperate companies where almost every male employee ran linux. especially in ISP and hosting/datacenter enviornments. this view is typical of the MCSE type IT person who eats, sleeps, sh!t's and breathe's micro$oft and ZDnet. I personally have noticed alot more personal freedom to run whatever OS you choose, as long as your firewalled or are fully capable of doing your job. I haven't used windows in the work place since Netware 5.00 was released and I don't see my self doing it any time soon either. another thing to point out. you made a mention of proxy? again, purely micro$oft induced thinking. proxy servers are great for low bandwidth connections but are extreemly exploitable by nature. in trying to put up a protection point you expose your self to the internet even more. true ip routing and firewalls are your best bets for internet access and security. also they allow you to control alot more of what your company can do online without infringing on exec's ability to communicate in private. the internet and corporate computing were built on unix, are _STILL_ unix based in some variant or another, AND ALLWAYS WILL BE. it still takes a farm of dual xeon windows boxes to do what 1 p3-ghz with 256mb ram unix box can do in it's sleep. in the broader scheme of things I personally see linux coming of age in the workplace as a desktop OS. new tools enable it to be far more expandable, secure, and user-friendly than windows can ever be. if your a stickler for IT security, there is no reason on earth to run windows in a corporation. the NSA said it best "There is not enough man power in the entire US government to secure windows for proper use by federal agencies".
1) You have to be kidding. You can use attack software on *any* OS. Linux is no weaker (and actually a bit stronger in that it has some semblance of local security) than Windows here.
2) If you sieze machine and reimage them to fit with some policy you're following, your ass would be heading out of town from mass user complaints at any company I've been at. You are IT. You are present to help workers get their damn work done, not to push some random personal agenda. If you wipe an entire system and kill that employee's work, you are a serious impediment to getting work done. I simply am amazed at the total lack of regard for the employee, and lack of perspective you've displayed. You could disconnect the thing from the network. You could ask the user to move his files to another machine so that you can reformat it, though I think you're already pushing the limits. But when you simply grab a machine and reformat it, you're in a position where you are a liability to your company. When the developer tells his boss that IT wiped out his work, his boss tells his boss, and his boss tells his VP, I guarantee that your boss will not cover for you.
You want him having direct access to the 'net without a proxy?
WTF does this have to do with what OS you're running?
I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits.
This is ridiculously paranoid. I've seen the occasional IT type who considers the users he is supporting his enemies, but this is beyond belief.
What if he's okay but his box ended up getting owned because he downloaded bad BitchX source?
What if the same damn thing happened because he downloaded a Word file to his Windows box? Which of the two happens in far greater numbers?
That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical.
You've worked in an 8,000 unit shop and you honestly believe you have zero penetrations? And your setup is such that you need to spend three days and nights mirroring HD images *after* an attack?
This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again
And again, WTF does the OS have to do with this?
Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share.
Ridiculous. This is a theoretically possible but completely impractical story of what might happen in an attack.
Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax.
Amazing. God, I'm glad the IT people that support me have different views.
(All those workstations came with an OS you paid for anyway).
The infamous sunk cost fallacy. Which they teach you to avoid in Business 101.
I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.
It's not. That kind of behavior from IT would generate serious user complaints where I work. Matter of fact, IT is trying to quickly adapt to support people that want to use Linux here, and has compiled resources for them. That's what I consider doing a good, solid job. Helping the users instead of attacking them.
May we never see th
No FUD, sir. Information Security groups have got to view the employees of a large company as untrusted, unproven people as a whole. Our capitalist and litigation happy society requires this. It's not like when you go through any other form of security it's loving and trusting. Look at airport security, the police, anything to do with protection usually starts off with the attitude of not being too terribly trusting.
Also, I was not trying to give a full IS proceedure, just a quick run of some thoughts of what I have experienced in the past decade.
For starters:
Linux, MacOS, etc is not 'sub-optimal', if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.
Your situation is what would be considered a special case by an IT staff. You are a scientist. Silly goose, you will probably need all kinds of things a typical employee will not need. Think about the percentage of scientists versus customer service reps and support people in call centers. Think of the costs associated with each one of these people anually versus what you cost. It's a big difference.
You speak at the end about trust and the suggestion that a network operate transparently without many restrictions. You have to understand that most companies are not in the ISP business for their employees. If you sit down in front of a computer in an office, it's their network, their assets, their butt on the line, their bandwidth costs, etc.
For example, I have worked in a group who's new office was suffering terribly. About a 1400 user network, but the bandwidth leaving the building was always pegged. Upon watching traffic for a few days, it appeared that a major portion was porn and streaming media traffic. We implemented a filter file for the proxy and traffic went from ~97% down to ~30% utilization. This sort of thing is very cost effective and saves people from themselves (female employee walks up on porn mongering male, female complains, male goes unpunished, female cooks up discrimination suit, etc -- just preventative medicine, not a cure for a likely issue in the future).
I guess those who are knocking my tales have never been exposed to a real IT group before. Either that, or they are prepared to lose their jobs someday due to a lack of enforcement or policy that matches your typical fortune 500 company. The suits will not have much pitty for your balls to give excess freedom to employees with their investor-purchased resources.
The downfall of your average geek is the inability to ever see things from an executive, bean counter, or investor's point of view. Threats are real, liability is real, the end result of your investments are real. The joy of an office behind a very trusting packet filter is short lived and a flagerant disregard for company assets, especially if the company is publically held. Your investors are well within their power to take you to court and sue you for every dime you have if there is big enough loss associated with an act that was easily prevented. We never know the limitations of these types of suits because they are civil and not criminal. In a civil suit, you never know if you are going to be made an example. For instance, the massive settlements on people burning themselves with McDonalds coffee. You just don't know what's going to happen. At least with a criminal case, there are boundries clearly defined by law.
You go back to being a scientist and I'll go back to saving people like you from yourselves with your lack of understanding regarding the need for real security policy. I promise I won't pick apart or call FUD when you speak of something technical regarding your line of work... That is, if you don't tell me ficticous realities about how e
You are scaring me... :-)
:)
First a minor quibble--you say:
if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.
If a worker is more productive in a differennt OS or Office Suite or whatever, then the monetary cost of that unused software is insignificant. Not to mention that the company shoulnd't be buying software unless it will be used.
The bigger problem with your entire post and attitude toward users is best seen here:
People need to quit thinking they have rights to anything in an office. You do what they say or find work elsewhere. There's a big job market out there right now, lots of options, right?
I see the smiley, so I'm hoping this is mostly a joke, but if a company harbors contempt for it's employees, it is doomed. If the option is "my way or the highway", the good employees will eventually choose the highway, regardless of the economy. All you will have left will be compliant losers who don't think for themselves, managed by control freaks who have to do all the thinking for them, deciding which color pen to use.
Or which OS.
Send lawyers, guns, and money. Dad, get me out of this.