Slashdot Mirror
Desktop Linux Sliding in Under the Radar?
Paul Johnson asks: "This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications, but there is a wider issue. At present the 'official' penetration of Linux into the desktop market is something around 1%. The writer of this article doesn't give figures, but it sounds like he may have stumbled on several times that percentage of desktop Linux installations. If so then this is an important trend. Linux got its foot in the datacentre door in exactly the same way a few years ago, with unofficial installations doing odd server jobs.
If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"
I work at the comptuer science department of a major universtiy, we've got runaway LINUX everywhere. We've gone so far as to restrict our switches by MAC address and no longer allow anyone in our network unless they tell us what OS they are running and have installed all the security updates.
In a previous job I've found Linux and BeOS
desktop installations. While I was pro alternatives to Microsoft, there was the concern about security - e.g. open e-mail relays, unpatched servers. The company ended up with a policy of permitting Linux on the desktop, but not supporting it. If you had an application issue - you were on your own. The only users that ran it had a clue and we didn't run into issues. Being a research environment, Linux ended up replacing SGI systems as the scientific workstation standard.
Aside from my laptop and my desktop, we have no Linux desktops. I do network scans and such monthly, and aside from a few Linux-powered embeded devices, I've seen nothing interesting. Mind you, I work at a hospital. There are not very many technically inclined folks here.
Never eat more than you can lift -- Miss Piggy
I wouldn't dare reformat a work machine with another OS. The feasibility isn't the problem - it's the wrath of an angry sysadmin that is. I would like to keep my job in this economy.
I DO, however, frequently boot my machine with knoppix. Most corporate IT environments prevent users from installing their own software - but Knoppix has pretty much every app I need. I sacrifice local file storage and some embedded data like PIM stuff, but its just more comfortable and doesn't raise the ire of the lesser IT geeks.
In the last infrastructure upgrade we did, all 60 machines were identical:
FreeBSD 4.7, autostart XFree86,
full-screen RDesktop to central Win2k Terminal Servers.
User's still think they have a windows
box(windows splash screen on boot).
Does this count?
they almost certainly would have no antivirus software
:)
Oh, for the miniscule number of Linux viruses?
no agents for our desktop license management
Since *most* software that requires license management is either Windows-only or hard for Joe User to come by, I don't see this as a huge problem either.
and almost certainly wouldn't be keeping up with security updates.
Ah, now this is a real concern. I would hope that your company has firewalls, but I can certainly understand not wanting them to be your *only* line of defense.
the users don't own their machines - the company does. if they want to piss around with _any_ os, let them do it on their own time, on their own network, and on their own equipment.
I can certainly understand this. When you're responsible for eleventy jillion desktops, you can't have people going rogue on you. At least not without knowing that if you have to come fix their PC, it's getting reimaged.
Now, I personally happen to run a stealth RH install, dual-booting to Win2K for when I just have to do something in Windows. My workstation, however, is well-secured, and has updates applied regularly. I have *never* had to bug the IT department, and my workstation is exceedingly well-behaved on the network. If the IT department decide to be real hard-asses about it and reimage me, I'll understand. Doesn't mean I won't be cranky, though.
49 20 68 61 76 65 20 74 6F 6F 20 6D 75 63 68 20 66 72 65 65 20 74 69 6D 65 2E
Where I work (part of Harvard University), Linux is definitely growing, but is a distant third behind Windows and MacOS. The IT department here is pretty strict about what they say you can and cannot do (kind of odd in an academic environment, if you ask me); as an example, one is not supposed to deploy ethernet hubs without seeking permission first. This just to give you an idea about them.
I've been here 3 years. Last year and the year previous to that, all of the IT web pages said that the only officially supported OSes were Windows and MacOS, with a stern implication that that was it (and don't you think about using anything else, grrr!). This year, they've acknowledged that Linux exists, and are giving some support for it. The IT folks are at least aware of Linux now, a change for the better.
Why is this happening? Because there are a few researchers (including me) who have installed Linux on their desktop/analysis machines, and are doing their own system administration. But, these users still need to fit into the global IT picture, for example, communicating with the email servers. As we have migrated from one email system to another recently, the IT folk have visited every single user (no, not kidding) to move their email system over. The fact that I was running Linux was not only no big deal, but they even correctly guessed which mail client I was using, given that I was running Linux. We are, slowly, winning.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
would kind of count as a security risk in itself, wouldn't it?
> --- All Of The Above --- >
I can see where there might be some security concerns, but I think the real concern for IS (IT, whatever) is being in control.
I work for a company that was heavily Unix (and X-terms) until the LAN somehow became all MS PCs. Now people and projects are insisting on replacing not only MS but Sun and SGI stuff with Linux. We are meeting heavy resistance from IS.
They are claiming that it costs more to administer a Linux box, even though we've been in meetings and showed that it wasn't true, based on recent experience. They refuse to give even knowledgeable users superuser privileges on their own machines, although Windows users can install anything or delete everything on their boxes at will.
To me it appears that some of the people in IS are afraid of being made less powerful, less needed, and less relied upon.
I work at one mega-monolithich US international -- though we're mostly nerds here (R&D).
.....
I'm not a sysadmin, but I'm one of the people that has installed Linux (I didn't blow away the corporate windows install, for accounting sakes) on his own at work.
How did I get the corporate mail client (MS only) and other ends to work? I downloaded custom-wrapped wine rpms created (on their spare time) by other coworkers on the other side of the country at another research facility. This was hosted on a un-official internal "Go Linux!" website, for all of the company's employees to see (we're allowed to have personal and "club" websites) and download (they have all of MS Office 2K running smoothly, along with Notes, the corporate e-mail client).
I got a couple of coworkers excited about Linux -- mind you, we're not just another corporate center, this is a hardware R&D filled with geeks (the sort of people that aren't sysadmins, but might play them on slashdot!) so I imagine we're at one end of the scale in the corporate world. But, thanks to Knoppix (try out a recent Linux distribution with zero liability on the company's computer to see if all your stuff is recognized! What a sale!) I've managed to get even some of the "old crusties" excited about Linux.
Anyways, my sneaking suspicion (and my hope! so this probably biases my "suspicion") is that there is a large number of uncounted Linux installs, and growing.
I was concerned about security, but who are we kidding? I know to not rest on laurels and all that (keep this RH73 as up to date as possible), but the alternative for my machine is Win2K, and we've been through the wringer with updates, worms, reboots and virus infected computers on *that* platform
Company shall remain nameless for my protection -
.
The home office has a special network security "swat team". Last year, they did a security audit of our site, which consisted of trying to hack into our network, from the inside.
They found several rogue Linux boxes, and were able to hack into them through ftpd. Holy hell was raised. All Linux was purged from our network. Oddly enough, here it is, 8 months later, and nearly every developer has a second box on his or her desk, with, you guessed it, Linux. However, it's a distribution and configuration, approved and controlled by IT.
It's all about control with these guys. .
You'd think that black leather keyboards with spikes and clamps would be popular with these freaks.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
now that i can see the point of, but perhaps instead of viewing linux has a second teir "problem" he should talk to the people who installed it and find out what they can do.
i have a local gentoo build server with 2 python scripts, and some cron jobs my systems are updated daily on my home network (14 machines. varying from athlons, to mips, to alpha) (not running gentoo on the mips, that runs irix [octane])
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
The weaknesses from the rogue installs ...come from the installation of third-party applications and utilities, which can leave a desktop or server vulnerable to attack if set up incorrectly.
Huh? What total Microsoft brain washing! What is a "third party application" in the free software world? This dude has his head shoved so deep into the M$ world that he confuses all the crap and spyware that accumulates on windoze boxes and runs as root with free software. I don't know how he's transfered his complete lack of control over Windoze onto software that works. I don't get it.
He goes on, after mentioning that he might be man enough to run Red Hat. He thinks it could do his company good to replace the hideous pile of Word Docs that is their QA tool because it sucks to have to do a "word search" to find information in the 300 reporst/year they generate. So true, just putting those things on a Samba server so you can use grep and find would be really helpful. Imagine how nice his life would be with a nice little mySQL/PHP webform for entry and search instead of a Word template. Progress, forge on brave man!
But, oh no, he shrinks from the fear of vulnerability:
For example, there always seem to be vulnerabilities associated with programs such as file transfer protocol, sendmail and Apache. And other open-source software is vulnerable, especially when the developer hasn't written the program with security in mind.
Poop. Plain and simple poop. Sendmail handles most email. Apache handles most web sites. Who needs ftp when you've got ssh? Well, anonymous ftp is a nice way to share big piles of files and programs like proftp are plenty secure. This is total shit to scare people who don't know what file tranfer protocal is, but like the ease of windoze file sharing. It's ignorant if not intentionally misleading. This line says volumes:
We can't eliminate Linux
No, but some fools wish they could. Other people everywhere are learning all the good things free software can do for them.
Anyone who's worried about security should use Debian's stable distribution. Not only is it all field tested, upgrades can be applied everyday from http://security.debian.org via shell script. Unlike the windows world, these updates install easily and don't break other "third-party" applications.
You say:
This could make the case for desktop Linux look worse, if people are not securing their dektops and/or keeping up with security updates.
That seems to be the intent of the article. Fortunately, only the very ignorant will pay attention to such nonsense and it can easily be deflated. Microsoft is going to have to try much harder than this to keep people away from superior software. Then again, I'm not sure how they can do that. The thing that makes the best case against the Windows desktop is it's record. That now including the author's laborious treck around his company caused by yet another Windows failure. There is not software anywhere with such bad performance.
Friends don't help friends install M$ junk.
assuming for a second that the person involved is actually able to install Linux(not stuffing a CD-Rom and/or floppy drive into a machine does wonders) and has sufficient rights under Win2k/XP the answer would be to reduce the main partition a bit in size using for example partition magic, and then happily installing mandrake on the side. Red hat might be an option too, but that'd require installing NTFS "support" separately, which, otoh, isn't all that hard to do either...
From a personal perspective, my previous employer didn't give a rat's ass what OS I ran, as long as it ran the software we used. The reply I got when I asked if I could was something like "oh sure, but you do it on your own time, and if it breaks, don't come whining to us..."
People replying to my sig annoy me. That's why I change it all the time.
Very few large corporations have the time or the tools to patch hundreds of MS desktops. As a result in every corporation there are hundreds if not thousands of vulnarable windows desktops and cluless IE users merrily surfing the web and getting hacked by script kiddies.
War is necrophilia.
Well, my employer allows virtually any os that a given user might need to run (we're a research facility). The IT people do regular vulnerability scans of the network and the linux users that I know (myself included) have never failed to pass the scan. The same can't be said for most of the MS users, or event the Solaris users for that matter. I don't hear much from the MAC users.
I guess my point is that it is not so much what os a person runs as it is the IT policies and how well they're enforced. Keep up with security patches, don't install untrusted software, good password policy, etc. These things aren't unique to any particular desktop OS and any user could potentially violate them. However, any user that depends on their system for everyday tasks isn't going to intentionally munge it up since they lose the use of it while you may be inconvenienced with rebuilding it. There is always the danger of the 'malicious insider' and we risk it every summer with an influx of student help that always includes some idiot that will try 'bad things'. Deal with them swiftly and harshly and make sure everyone knows about it and you can keep it to a minimum, but you can never eliminate the risks completely.
While I agree that the previous poster is overzealous, there is a kernel of truth in some of what he says.
You are IT. You are present to help workers get their damn work done, not to push some random personal agenda. If you wipe an entire system and kill that employee's work, you are a serious impediment to getting work done
In most companies, the standard OS is hardly a "personal agenda" - and the worker that installs a new OS on his/her computer without authorization is hardly "getting work done".
Most large companies I know don't allow you to keep your work on your local machine, as it makes all kinds of problems for backups, upgrades, and hardware trouble. Instead employees save all of their work to a central fileserver, which gets backed up on a regular basis. Re-imaging a machine is not a big deal. Even the place I work now (total of 20 employees) does this.
WTF does the OS have to do with this?
If the sysadmins don't know Linux, then they won't be able to fix the breakin.