Slashdot Mirror
Reflecting on Linux Security in 2003
LogError writes "Here's a look at some interesting happenings with Linux security in 2003 with comments by Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of "Real World Linux Security") and Marcel Gagne (President of Salmar Consulting, Inc. and author of "Linux System Administration - A User's Guide" and "Moving to Linux")."
Quote from the article: SecurityFocus columnist Hall Flynn notes that he doesn't understand why Linux vendors that put so much time and money into creating security patches distribute them for free. --> Just imagine the amount of e-mail worms there could be out there if people would have to pay for outlook updates.
> From the looks of things, they still have a while to go. IMO, Linux people talking about security is like that saying about people who live in glass houses.
Note that many if not most of the vulnerable programs shown in your link to securitytracker.com are not related to the Linux kernel nor part of most Linux distributions. This makes for a potential "apples to oranges" comparison with Windows vulnerabilities.
Also, the page for Windows doesnt just list OS components either. So, as far as security tracker goes, it IS apples to apples. One can also argue that IIS is not really a Windows component, since it is an optional service. But thats the way they organize their site. If you dont like it, talk to Security Tracker; Im sure they would be happy to hear from you!
Manipulate the moderator system! Mod someone as "overrated" today.
A simple backup-restore utility that allows users to backup all their filesystems, and restore them in the event of a crash. A separate unnmounted filesystem to store the 'image' - no worm can get past this simple strategy. A major security breach? Simple:
1. Remove network cable (OR) Internet connection.
2. Boot from tomsrtbt
3. Mount backup partition(s)
4. Run simple restore script.
5. Reboot and enjoy!
Can any other OS do this, with off-the-OS tools?
-
If you keep throwing chairs, one day you'll break windows....
Don't throw stones inside your modded linux box?
Right, Check.
As for security, that would explain why my Linux boxes have for years been under constant attack from compromised Windows machines without incident.
Ahhh, but the difference is that if I throw a stone and break my little glass Linux house, I have the ability to fix it... for free. That is the beauty of Open Source.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I absolutely agree with every point in your bulleted list. But the short answer is yes, I do believe that bugs make it into code because of emphasis on cranking out software quickly. It would seem illogical to do so, true, but the sad truth is that it happens and I have watched in horror as it has happned at the place at which I work. When the CEO comes in screaming "ship it! ship it!" and you are given very little alternative, that is exactly what happens. And yes, it does cost more money to repair the bugs later than sooner, but management knows no logic, and developers many times get no say in when their project ships.
Jack Ganssle gave a very nice keynote speech at the recent Boston Embedded Systems Conference that touched on those very same problems. We all know better, but it still happens. And no, not just at M$. However, when you can crank out a new OS every couple of years and the sheep still buy it despite knowing that the OS is unstable, then why not?
Some of the security holes that we have seen come from M$ products (and other products as well!) show the lack of real testing... problems that never should have been seen by the end user.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I found the article not very informative.
It had a lot of verbiage but thats about all.
'Someone said this, someone said that, yada yada.'
Exactly how many holes were there? How many known of are still there? "Where's the beef?"
At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent."
but then we have
The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go back to when the next critical flaw is uncovered.
So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)
You will notice that he said "an opportunity exists". That's ultimately what the open source model is all about, the opportunity to do something, the opportunity to change something. Whether people pick up the ball and run is up to them, but at least they are given the opportunity
Your points on UNIX history and security are intersting
UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!
User and network security were unknown concepts at the time. That's like saying that we should have been preparing for the AIDS epidemic in the 70's
Linux wasn't designed with security in mind - it was cloned from a system which had security evolved and grafted onto it (unix).
The security concepts were copied from UNIX to Linux, but the application level security, and the newly discovered types of programming errors (most, but not all buffer overflows, etc) were "coded out" so to speak.
remember when anyone could remotely kill a linux box with the right udp packets ? was that security by design ?
Remember when anyone could halt any Windows box with some fragmented IP information in TCP headers? Did MS forsee this and code to avoid it? Interesting how you're condemming Linux and OSS for not doing so.
As for the OpenSSL and OpenSSH stuff, ok, I'll give you those ones =)
I'd argue that with each year of Windows, we've only seen improvements. does it then follow that there's only a bright future ahead ? If so, how is linux "better" in this regard ? How is this news ?
When any company _innovates_ (embraces and extends, rapes and pillages, whatever), they are marching into new territory, and the territory is unknown. New innovations mean new possibilities for logic and programming errors for the first company to leap into that territory. The Linux community usually sees the innovations that MS, Apple, etc, are coming up with, and adopt it, without a lot of the inherent security issues and usability problems. That's not to say that there are no security issues, but a lot of the obvious ones are worked out.
MS has in the past put the users experience above the users security, and as a desktop OS, this has worked for them, but they need to take a deeper look at application security, which is the reason why worms and virii are plaguing them to this day.
My $0.02 CDN."Well you're not Fiona Apple, and if you're not Fionna Apple, I don't give a rat's ass."
First
costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact
Really ? which documents ?
From 2001 - CNN Survey: Costs of computer security breaches soar
Second
With every year since the birth of Linux we've only seen improvements so I think there's only a bright future ahead.
I'd argue that with each year of Windows, we've only seen improvements.
How can you actually believe that we have only seen improvements with Windows? Yes, there have been improvements in functionality and capability, but by no means has there ONLY been improvements. Tying a HTML interpreter's code to the OS'es kernel is not only an abuse of the OS'es monopoly, but also an ignorant way to package additional functionality. Or, how about adding functionality for admin purposes that is accessible to anyone on the Internet when the computer is connected to the Internet.
Spammers slip ads through WindowsBy the way - CNET is owned by Microsoft.
How do I shut that service off without downloading a patch? I don't need the service, I don't want the service and I see it as redundant since I can e-mail updates or, this is novel, pick up the f-ing phone and call the person and tell them the message.
PS - I run both Linux (Red Hat - for now) and MS at home on two separate computers - does that give me credibility in your eyes?
"Don't worry about people stealing an idea. If it's original, you will have to ram it down their throats." --Howard Aike
I think it's ironic that the two things I had to patch most often this year were OpenSSH and OpenSSL.
Well, I'd think that this is a Good Sign. The term "secure" doesn't really mean that no holes exist. That's hardly likely. What it really means is that no holes are known. Or, a hole was just discovered, and we're working furiously to fix it.
The fact that these patches came out really mean that the OpenSS[HL] crowd is 1) actively looking for problems, and 2) fixing them rapidly. In particular, they don't hide the problems behind a shield of secrecy, and they don't collect patches into sets to be released when the PR people decide it's appropriate.
If their patches taper off, it will be time to take a skeptical look, to make sure that people are still actively attacking the OpenSS* code and trying to poke holes. If this process stops, we should worry. If people are still studying and attacking the code, but failing to find holes, we'll know we're in good shape.
But we aren't quite there yet. So the patches are a Good Thing.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
[qoute]
* UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!
[/qoute]
Yes. Unix was created for the specific purpose of multiusering operating system. It was designed in a era were you had big mainframes with lots of little terminals and you shared everything.
The main difference between it and other OS designed in that era (and why it is still around) is that it is designed to be completely portable OS, thru the extensive use of C. Meaning that you could develope the code on a Vax, and recompile it to work on a x86 workstation without having to completely rewrite it.
Everything is has a specific job. It's designed in the layered approch were each program has a specific job to do and that's it. You can ramdomly replace any part of the OS with any other program as long as it correctly takes the inputs and makes the correct outputs.
One of the Major issues with MS security is that it is a model of a OS that was based on pure Single User enviroment, and MS basicly said that if users want security they would pay extra for it. This sucks for MS users because the OS is so tightly integrated that repairing or replacing any part of the OS can result in unpredictable issues with another subsystem that you would think would be entirely unrelated. So fixing the bad designs of the past 10 years or so is nearly impossible without a complete rewrite. And MS can't even do that.
[qoute]
* linux wasn't designed with security in mind - it was cloned from a system which had security evolved and grafted onto it (unix). secutiy is about trying to get perfect code out of imperfect people, and moreover, trying to get perfect designs out of imperfect people. NT _Was_ designed from the ground up with security in mind. The security training happening recently at MS had a lot more to do with sloppy coding and thinking about security at every layer of the platform then it did with redesigning NT's security features (which are actually quite advanced)
[/qoute]
I don't know what NT was designed from the ground up. But your issues about linux are unfounded and steam from ignorance. Linux is not a clone, it was designed as a posix-compatable kernel, internelly it operates very differently from a *BSD or system-V operating system. What you see lots of times is fairly cosmetic similarities. It is designed to be compatable with Unix stuff because it's a excellent and proven design, not be a clone. It's similar to saying that Mozilla is a clone of Explorer, which is absured.
[qoute]
* remember when anyone could remotely kill a linux box with the right udp packets ? was that security by design ?
[/qoute]
Sure, you could similar things with all windows OSes. Think about this: The same RPC vunerabilities affected all OSes from win9* to NT to WinXP. This means that a great deal of the code from WINDOWS 95 is still being used in Windows XP.
If the head developers involved in SMB protocol are any idication about the depth of understanding of the vague programming mess that is windows, they couldn't match the knowledge that the to the head SAMBA developers had about their own OS!
THis is not encouraging. Seems to me that while linux continually rewrites and audit's it's code and is continously improving it's design, while Windows developers are faced by a morass of undocumented features and black-box programs were nobody is completely sure on how they operate anymore.
I believe that the answer to this is, yes, it was multi-user from the beginning. Remember, UNIX was initially developed in an era when computers were physically large and so expensive that it was a basic assumption that more than one person would use the machine. It was also intended to be a time-sharing system, so was designed with the idea that more than one person would be using it at the same time. Certainly by the time that UNIX came out of the research groups and into more common usage at Bell Labs, there were security features.
There were security bugs, too. As is the case today, some of those involved the default configurations. At some point, the default when you logged in was that your tty device was writeable by the world. On at least one occasion, this led to a spate of problems where one user, pissed off at something another user had done, would run a command like
$ cat /bin/* >/dev/tty3 &
where the offending user was logged in on tty3. Binary, interleaved with the output you expected to get, dumped to your terminal at 300 cps, was annoying. Users learned quickly to build a variety of checks and corrections into their .profile file.
Geez, knowing that makes me feel OLD.
"We had warned the Justice Department and the court that removing all of those files would not result in a workable product, but that's what the DOJ demanded," Murray said.
To mean that IE was tied to the Kernel - I should have said "Tied to the fluff that they wrap together in a tangled mass of buggy code brought to us by the innovative thinkers at Microsoft"
"Don't worry about people stealing an idea. If it's original, you will have to ram it down their throats." --Howard Aike
The same RPC vunerabilities affected all OSes from win9* to NT to WinXP. This means that a great deal of the code from WINDOWS 95 is still being used in Windows XP.
Even more interesting, similar RPC vunerabilities also affected most commercial UNIX OSes -- Solaris, HPUX, etc. Which indicates that the code-reuse was practically industry wide.
In fact, the only reason that Linux distros escaped this problem was because they are rather unique in not providing DCE RPC services.