Desktop Linux Sliding in Under the Radar?

Paul Johnson asks: "This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications, but there is a wider issue. At present the 'official' penetration of Linux into the desktop market is something around 1%. The writer of this article doesn't give figures, but it sounds like he may have stumbled on several times that percentage of desktop Linux installations. If so then this is an important trend. Linux got its foot in the datacentre door in exactly the same way a few years ago, with unofficial installations doing odd server jobs. If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"

Not exactly ...

[BabyDave]

If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"

I tripped over my mail server last week. Does that count?

Re:Not exactly ...

[VPN3000]

I am not buying into this article for the fact that I've worked in large 'shops' of 2,000 workstations up to about 8,000. None of these shops would find, then allow a non-approved OS to continue to run on their networks. This type of thing is basic "Information Security did a weekly scan, found it, helpdesk siezed the machine and re-imaged it with Windows 2000" routine.

I used to agree with giving employees freedom to run whatever OS they are comfortable with, but you have to keep into consideration the Information Security view on things. A *nix OS with a few network tools installed, gcc, and some skills can lead to a lot of problems for the company.

Think that's silly? Think again. Think about doing technical support for bitter and unthankful lusers. Your boss is an asshole. You make $23k/year and missed your shot as an [insert engineer/developer position here] before the bubble popped. No hope for a future with the company since they have a revolving door system in place where 3/4 of the low-level staff is on temporary contracts that expire every 90-300 days.. I know, it's sad and I've seen a lot of talent from people stuck in these types of jobs and feel terrible for them. But, this is a common person in technical call centers. I've seen enough from that single profile to type pages, but I'll stop and save it for another post.

Do you trust this employee enough to let him run FreeBSD? You want him having direct access to the 'net without a proxy? I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits. What if he's okay but his box ended up getting owned because he downloaded bad BitchX source? That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical. That's the tip of the ice berg when it comes to what happens when your office gets owned. Even if workstations are usable, every workstation on the local subnet and server they have ports open to via the firewall have to be investigated. This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again. Somewhere around noon, the guy from Public Relations will likely be on the phone wanting to know what to tell CNN when he calls them back. Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share. That's potential millions depending on how big your company is.

Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax. I'm very pro-Linux/BSD, but not in an enviroment where it's not needed (All those workstations came with an OS you paid for anyway). I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.

My stories are actual events portrayed by actors.

Re:Not exactly ...

[Geek+of+Tech]

Not trying to be flaimbait, but, uh, if someone had a desire to compile a program, couldn't they just download MingW32 or DJGPP or something else?
I don't know about your company, but at my school (I was resident Geek), we set it up so that the DHCP server would automatically set the proxy up as a gateway. We never had any problem about people accessing the internet without going through a proxy.
And aren't the chances actually better of getting some form of backdoor greater for windows? Picking them up via email, bad downloads, even browser security flaws.

I see where having an unauthorized anything running could be a problem, but just linux in general, no, danger isn't in the software as much as it is in the hands of the user.

Re:Not exactly ...

[tkg]

Well, my employer allows virtually any os that a given user might need to run (we're a research facility). The IT people do regular vulnerability scans of the network and the linux users that I know (myself included) have never failed to pass the scan. The same can't be said for most of the MS users, or event the Solaris users for that matter. I don't hear much from the MAC users.

I guess my point is that it is not so much what os a person runs as it is the IT policies and how well they're enforced. Keep up with security patches, don't install untrusted software, good password policy, etc. These things aren't unique to any particular desktop OS and any user could potentially violate them. However, any user that depends on their system for everyday tasks isn't going to intentionally munge it up since they lose the use of it while you may be inconvenienced with rebuilding it. There is always the danger of the 'malicious insider' and we risk it every summer with an influx of student help that always includes some idiot that will try 'bad things'. Deal with them swiftly and harshly and make sure everyone knows about it and you can keep it to a minimum, but you can never eliminate the risks completely.

Re:Not exactly ...

[hellraizr]

I think most people are missing the point here. most, AND I MEAN MOST companies are not huge corporate giants running 3 flavors of oracle/informix/peoplesoft. in fact, most huge places still don't run windows. I have worked for 3 seperate companies where almost every male employee ran linux. especially in ISP and hosting/datacenter enviornments. this view is typical of the MCSE type IT person who eats, sleeps, sh!t's and breathe's micro$oft and ZDnet. I personally have noticed alot more personal freedom to run whatever OS you choose, as long as your firewalled or are fully capable of doing your job. I haven't used windows in the work place since Netware 5.00 was released and I don't see my self doing it any time soon either. another thing to point out. you made a mention of proxy? again, purely micro$oft induced thinking. proxy servers are great for low bandwidth connections but are extreemly exploitable by nature. in trying to put up a protection point you expose your self to the internet even more. true ip routing and firewalls are your best bets for internet access and security. also they allow you to control alot more of what your company can do online without infringing on exec's ability to communicate in private. the internet and corporate computing were built on unix, are _STILL_ unix based in some variant or another, AND ALLWAYS WILL BE. it still takes a farm of dual xeon windows boxes to do what 1 p3-ghz with 256mb ram unix box can do in it's sleep. in the broader scheme of things I personally see linux coming of age in the workplace as a desktop OS. new tools enable it to be far more expandable, secure, and user-friendly than windows can ever be. if your a stickler for IT security, there is no reason on earth to run windows in a corporation. the NSA said it best "There is not enough man power in the entire US government to secure windows for proper use by federal agencies".

I only wish!

[pjack76]

I have this fantasy where I walk into work and everyone's installed Linux on their own and I don't have to image another NT workstation ever again, and I realize I've died and gone to heaven where the bad men can no longer hurt me.

Is the sysadmin sure he wasn't dreaming?

Re:I only wish!

[archen]

Installing Linux on their own is a bit much. My dreams are really simple - like I just have this button that shocks people and they just magicly get a clue - like why sending a 5 meg bitmap to a guy who accesses his email through a 28.8 modem is a dumb idea.

Actually in all honesty I wouldn't want people installing Linux on their own anyway. All users with admin priveleges? I don't know what kind of heaven you're going to, but count me out! =P

Undercover LINUX

I work at the comptuer science department of a major universtiy, we've got runaway LINUX everywhere. We've gone so far as to restrict our switches by MAC address and no longer allow anyone in our network unless they tell us what OS they are running and have installed all the security updates.

Re:Undercover LINUX

[innosent]

We've gone so far as to restrict our switches by MAC address and no longer allow anyone in our network unless they tell us what OS they are running and have installed all the security updates.

Ok, I'm confused here. What exactly is extreme about limiting access to known MAC addresses? Any sprawling network where access to the backbone (i.e. wallplates) can't be controlled should do this. It's just common sense.
As for not allowing anyone on without them telling you what they have, how do you make sure they keep updating? Was it fine for people with WinXP boxen to join the network when XP was first released? Being "up to date on patches on 10/07/02" is great, but utterly meaningless if no patches have been installed since then. Having a required set of patches is nice, but having a good security policy is far better.

Of course, I've always wondered about college networks, since they seem to prefer sending nastygrams or denying access to users, rather than prevent users from doing those things. Want to stop shared folders, file sharing, worms?, set the switches to only allow traffic to pass completely through the switch, not between ports on the switch.
Besides, the average user has no need to be accessible from any other machine, and especially not from outside the local network. Use NAT, separate users from each other, and be done with it. If a user gets a virus/trojan/worm, f@*k-em, at least it won't spread through the network.

Unofficial installations

[cfl]

In a previous job I've found Linux and BeOS
desktop installations. While I was pro alternatives to Microsoft, there was the concern about security - e.g. open e-mail relays, unpatched servers. The company ended up with a policy of permitting Linux on the desktop, but not supporting it. If you had an application issue - you were on your own. The only users that ran it had a clue and we didn't run into issues. Being a research environment, Linux ended up replacing SGI systems as the scientific workstation standard.

Does this count?

[AWrinkler]

In the last infrastructure upgrade we did, all 60 machines were identical:
FreeBSD 4.7, autostart XFree86,
full-screen RDesktop to central Win2k Terminal Servers.

User's still think they have a windows
box(windows splash screen on boot).

Does this count?

Nope Not at all

[visionsofmcskill]

Between Two semi-large internet companies and several smaller ones i have NEVER run into any non-IT unix/linux box amongst my users.... EVER.

In truth beyond the server farms ive worked with at said companies the only person possessing any *nix varient has been myself (including mac os X...) While i can see this as being an occasional happening in dorkier companies... even then i find it not very likely.

mainly because buisness use predominataly revolves around outlook exchange's shared meetings and various other stupid stuff.... in addition to the baseline ease of use (overall managerialy) network administration of an all windows environment.

I would NEVER support a linux desktop distro amongst my users.... MAC OS X ... yes.... but not Linux for any reason on gods green earth... can you say nightmare? I love Linux.... but it just is NOWHERE near as streamlined as windows or macintosh... especialy from a support stance.

My personal feelings are *nix for network devices.... Windows server/client for data sharing email and so on.... and Mac os X for end users who are more inclined towards media production (basicly people who arent finance/sales).

This setup puts the *nix boxes in my realm... and id be greatfull that no unwitting user *accidently* installs another DHCP, DNS, SMTP, etc... server on my network. Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use.... or how to fix their freakin window manager because KDE offers 5 different programs just to change the layout/widgets.... no thank you.

Of course this poster assumes that the people who do so, do so knowing people like myself wont support them... and more than likely will be highly un-happy with their network being potentialy compromised...

not trying to spread FUD.... but ill wait for a tighter distro before i promote *nix on the desktop.... only one so far (with flying colors) is OSX.

Re:Nope Not at all

[1lus10n]

actually your post is pretty much just FUD.

firstly you wouldnt have to worry about them installing a rogue DHCP server if you didnt give them root. As a matter of fact dont even install KDE if you dont need it. you really must have no experience with modern desktop linux installs, otherwise you would have known that: "Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use" is rather retarded since most apps work fine nowadays, Redhat has a unified desktop which makes the "visual" differance between kde and gnome moot, and redhat would support any other issues you have if you bought a support contract. same as with any other OS.

as for streamlined management well you could simply run a local up2date server with cronjobs as neccasary, and run ssh locally on the clients so that when (and this will be very rare) there is an issue you can just ssh into the box and fix it.

i personally work at an outsourcing company, 3500 employees and we have about a 20% linux desktop install, growing slowly. why ? ease of administration. you have a policy that states what IT supports (evolution, mozilla, gaim etc) and whenever somebody asks for help with something not supported you point and say "No". And the best part is you dont have to have someone running around constantly re-imaging all of those windows boxes....

Re:This is unexpected?

[Noumena]

not only that, but my unoffical linux install is a good way for me to know that the corp doesn't have any spyware on my boxen. That and I stopped hitting my monitor so much after I installed linux.

Re:Remember...

[grungeman]

Yes, and that is exactly why they are asking for other sysadmin's experiences. Got it?

Re:they better not

[Chewie]

they almost certainly would have no antivirus software

Oh, for the miniscule number of Linux viruses?

no agents for our desktop license management

Since *most* software that requires license management is either Windows-only or hard for Joe User to come by, I don't see this as a huge problem either.

and almost certainly wouldn't be keeping up with security updates.

Ah, now this is a real concern. I would hope that your company has firewalls, but I can certainly understand not wanting them to be your *only* line of defense.

the users don't own their machines - the company does. if they want to piss around with _any_ os, let them do it on their own time, on their own network, and on their own equipment.

I can certainly understand this. When you're responsible for eleventy jillion desktops, you can't have people going rogue on you. At least not without knowing that if you have to come fix their PC, it's getting reimaged.

Now, I personally happen to run a stealth RH install, dual-booting to Win2K for when I just have to do something in Windows. My workstation, however, is well-secured, and has updates applied regularly. I have *never* had to bug the IT department, and my workstation is exceedingly well-behaved on the network. If the IT department decide to be real hard-asses about it and reimage me, I'll understand. Doesn't mean I won't be cranky, though. :)

I work for M$

[civilengineer]

and all our systems have rouge linux installs. Its true! ;)

Re:Now that's one of those Ask Slashdots even I ca

[innosent]

Well, it's redundant because it's not a troll, it's not flamebait, and it's not offtopic. I suppose it could be overrated instead, but the point of the article was to hear experiences from people who have found desktop installations at work, not hear 600,000 "No" answers from people who haven't. If there was a "-1 Pointless Comment" mod, you'd have gotten that, but there isn't.

Re:they better not

[invoke]

I used to be a manager at Dell, and I can tell you that if you had presumed to format one of my or my developers machines without first getting authorization from me, you'd be fired and "walked out of the building" the following day.

Maybe the authorization got misrouted.
Maybe you are wrong about either the authorization or the requirement for it.
Maybe it was an experiment on a dept. system.
Maybe it wasn't hooked to the network.
Maybe we were testing the system's Linux compatibility at the end of the day and left it 'till the morning to finish.

In my tenure at Dell, all these things were true at some point or another, and no one formatted our systems. We were too busy to get in the pissing matches that would have started.

Certainly you should quit abusing your very limited power and try to help rather than simply jumping to conclusions.

Extreme prejudice 101

[T3kno]

localhost / # format c:
-bash: format: command not found
localhost / # fdisk c:

Unable to open c:
localhost / # deltree *.*
-bash: deltree: command not found
localhost / # del *.*
-bash: del: command not found
localhost / # sys c:
-bash: sys: command not found
localhost / # help
GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu)
<snip>
</snip>
{ COMMANDS ; }
localhost / # fsda;lkjafdjl;kwfoied
-bash: fsda: command not found
-bash: lkjasdjl: command not found
-bash: kwfoied: command not found
localhost / # <insert_vcr_led>


Sobbing....I HATE LINUX....

Somewhere a penguin smiles.

Re: _A&T Manual ;-)

[sICE]

Quote:

If you are trained in computer sciences, you unconsciously tend to think that everything that is easy for you is easy also for the others; well, it's not! All the knowledge you have built during many years is a mystery for them. On the net, you often find expert and trained people, because it's the right place to find them. Everywhere else in the world, they are rare.

_A&T

Ignoring the standard MS shot...

[el-spectre]

The point is, a sysadmin can patch and update winders machines remotely and en masse. If he doesn't know about the linux machine, then he obviously has a hole in his security plan.

Re:User Installed *anything*

[KevinJoubert]

I think we are forgetting something fundamental here... the whole idea of policies and security with respect to installing rogue applications stems from the fact that Windows and Windows networks are so damn easy to completely break.

If I install a program as a user on my Linux box, or even in my user space on the departmental server... it has no effect WHATSOEVER on the rest of the server or the other users. Thats what a multi-user OS "is". You can't even TOUCH that with ANY Windows implementation.

This discussion is not about "Oh, I can break into any box and install Linux". Sure you can. There is no way to stop. Lock it up? pick the lock. Remove the floppy and cdrom? install one or do a network install via crossover cable and another box. Blah blah blah.

The idea is that Linux IS in far more places than people know. And it will only grow in the future. Will it supplant MS as the "King of the desktop"? Who the hell cares... but people have a choice now.. and they ARE choosing it.

Re:This is unexpected?

[Jedi+Alec]

assuming for a second that the person involved is actually able to install Linux(not stuffing a CD-Rom and/or floppy drive into a machine does wonders) and has sufficient rights under Win2k/XP the answer would be to reduce the main partition a bit in size using for example partition magic, and then happily installing mandrake on the side. Red hat might be an option too, but that'd require installing NTFS "support" separately, which, otoh, isn't all that hard to do either...

From a personal perspective, my previous employer didn't give a rat's ass what OS I ran, as long as it ran the software we used. The reply I got when I asked if I could was something like "oh sure, but you do it on your own time, and if it breaks, don't come whining to us..."

Re:IT headaches

>> If management at our company asked for Linux, we would have to say no.

Yeah, telling your boss no is such a great way to keep your job. The conversation would go like this.

Boss: "I hear that this Linux thing is saving other companies millions of dollars a year. Let's do a test pilot."

You: "No."

Boss: "OoooooKay... Why not?"

You: "We don't know anything about Linux in the entire IT department."

Boss: "But from everything I am reading it is the next BIG THING [TM]"

You: "We don't know anything. And even though I don't know anything, I am guessing that it costs more to install, train and hire for it."

Boss: "Isn't that what a pilot program would tell us? I tell you what. Hire someone who knows Linux and have them perform a pilot."

You: "No."

Boss: "Look, I am getting a little tired of this. Do what I say."

You: "No."

Boss: "You're fired."

You: "Booo Hoooo!"

>> None of us know Linux very well, unfortunately.

You don't know Linux? Is your head buried in the sand? Haven't you been hearing more and more and more about Linux over the past 5 years? Do you have so little motivation that you can't download a free iso image from the internet, burn it to a blank CDROM and then install Linux on an old Pentium computer you have just laying around?

>>It would cost a fortune in training and hiring as well as the labor involved changing everyone over.

Actually, the payback for switching over to Linux is immediate and begins paying back the first year, if Linux will work for you at all. Do a pilot program and see if it will work for your company. At the very least, even if you keep using windows look at switching the non power users over to open office.

>> Besides, with our Dell account we basically get the OS for free when we buy PC's.

Oh, you pay.