Reflecting on Linux Security in 2003

LogError writes "Here's a look at some interesting happenings with Linux security in 2003 with comments by Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of "Real World Linux Security") and Marcel Gagne (President of Salmar Consulting, Inc. and author of "Linux System Administration - A User's Guide" and "Moving to Linux")."

Nice idea (?)

[Elie+De+Brauwer]

Quote from the article: SecurityFocus columnist Hall Flynn notes that he doesn't understand why Linux vendors that put so much time and money into creating security patches distribute them for free. --> Just imagine the amount of e-mail worms there could be out there if people would have to pay for outlook updates.

Re:Nice idea (?)

[The+One+KEA]

Forcing people to pay for security updates would be so incredibly stupid that it would guarantee the insecurity of even more Internet-connected machines than right now. I think that security updates for ANY OS or application, irregardless of the status of its source code, should be free and available for everyone.

At least nobody claimed it was "objective"

[bmajik]

Oh boy! An article which takes 1 authors clearly subjective feelings, piles on the anecdotes, and pronounces evidentiary conclusions!

From reading this, it would appear that Gagne is pretty much what happens when you give a linux zealot some airtime. I'll comment on just a few things i got a kick out of:

At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What's a reasonable period of time? I'd say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent."

but then we have

The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go back to when the next critical flaw is uncovered.

So which is it ? Do we expect people to upgrade after 36 months, or do we take any opportunity to mention that we think Microsoft sucks (of which everyone in the audience is perfectly aware)

"Frankly, it seems incredible that this is even open to debate.

There's that objective analysis shining through. Definitely not the words of someone pushing a beleif as opposed to an argument :)

One need only read the newspapers, listen to the radio, watch television or work in an office where Windows is widely used

Which papers would those be ? The ones that manage to not mention that FSF, Debian, and Gentoo all had their Root file distribution servers OWNED in the same year ?

has nothing to do with Microsoft's market penetration.

riiiiiiiight. Let me tell you what. if windows update gets owned, you will hear about it in the papers, and on the news, etc. And it wont be because of the magnitude of the issue - because it happend to the FSF, Debian, _and_ Gentoo _first_. When something goes wrong with microsoft software, it hits the whole internet. It's a market share issue.

It doesn't hurt that at its very core, Linux is designed with security in mind.

What do the original UNIX authors have to say about designing UNIX from the ground up with security in mind ? A history of linux will show a few things, I think.

• UNIX evolved over time. almost no attention was paid to security initially - was it even multi-user initially?!
• linux wasn't designed with security in mind - it was cloned from a system which had security evolved and grafted onto it (unix). secutiy is about trying to get perfect code out of imperfect people, and moreover, trying to get perfect designs out of imperfect people. NT _Was_ designed from the ground up with security in mind. The security training happening recently at MS had a lot more to do with sloppy coding and thinking about security at every layer of the platform then it did with redesigning NT's security features (which are actually quite advanced)
• remember when anyone could remotely kill a linux box with the right udp packets ? was that security by design ?

No need here for launching a security initiative after years of neglect."

Or, said another way - "not too much new ground to cover making a freeware clone of 25 years of operating system research!"

Despite the fact that I do not run a Microsoft computer in this office,

why am i listening to your opinion of MS software again ?

costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact

Really ? which documents ? Where are the documents that talk about how much money business MAKE by leveraging software - Microsoft software. If, overall, MS software is hurting business financially, why dont they go back to notebook paper ? Why not use linux ?

This article is pretty much a non-article.

Security

[dexterpexter]

In my experience with both Operating Systems, I have often found that a lot of the insecurity lies with the user. Again, this is just my observations and not hard fact, but I have found that the average Linux user is more aware and technologically savvy than the average Windows user. Linux has traditionally served as a geek playground whereas Windows seeps into the marketplace on new-from-the-store PCs and thus is usually the first operating system most people learn on. My mother, who would "never try an operating system like 'Linus'" is just as oblivious to the necessity of a good firewall on her machine. In fact, before I intervened, she nor any of her friends even had one. Worse, they were under the opinion that you can not retrieve email without Outlook, and that Internet Explorer was the internet. That might sound preposterous to you or I, but I have found this to be true of many casual PC owners. So, beyond security problems inherent in code are problems inherent in the user as well.

Linux is also very community-minded (hence, the "Open Source Community.") We vehemently defend Linux and thus have greater stock in its success. Now, I do not subscribe to the idea of thousands of users pouring over the source code and fixing security holes, but I will assert that the small number of users who actually contribute to the community do a fine job of it, and are extremely dedicated. What Open Source offers is the ability to pour over the code, even if most of us don't take advantage of this. M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it. Linux developers seem to take more pride in their product as, since many of them donate their work, all they really have is that pride to guard. You won't find the Linux community only putting out one large, obscure patch a month and then declaring "AHA! We have less patches than M$." ;) Hmmm... that seems vaguely familiar. :)

If I had to put my money down on which one was more secure, my money would go on Linux.

-dexterpexter

Re:Head, meet Sand

[windows]

It's an unpleasant truth, but Bill Gates was right when he suggested that perfect bug-free, unexploitable code is impossible. There are going to be vulnerabilities, no matter how much of an effort you make to keep them out of code.

Security has to be achieved through firewalling, shutting off unnecessary services, keeping software up to date with the latest security-related patches, and some common sense on the part of the user. In my experience, a lot of Linux users are every bit as ignorant as their Windows counterparts when it comes to security. I know plenty of people who don't know what daemons are running on their computers, who don't keep their software updated, and who don't follow basic common-sense security procedures. Unfortunately, there's the perception among a lot of people that just running Linux makes them secure. They feel they don't need to bother with things such as firewalls, because they're invincible. Even among their Windows counterparts, firewalls are considered a necessary tool for security.

There's a basic competence needed to run Linux. Unfortunately, beyond that, many users are clueless when it comes to security.

Linux doesn't lend itself to many of the problems Windows does. But that's only part of being secure.

Linux distributions shouldn't come with lots and lots of services enabled by default. We complain at Microsoft because a lot of users have IIS running on their machines and just aren't aware of it. Many Linux distributions are just as guilty as Microsoft here.

If we want to make Linux more secure, we need to fix the two biggest vulnerabilities - the default settings of many Linux distributions and the user.

Re:Security

[bmajik]

M$ developers are usually money-driven and thus focus more on how fast they can get a product on the shelves than how rock-solid they can make it

do you have any substantiation of this ?

You may have heard something about software engineering, but if not, i'll tell you. The later you discover a bug, the more expensive it is.

Lets take some examples.

• Developer writes code with bug. Next day, tester finds bug and tells developers. Cost to fix ? - low, because code is fresh in developers mind, and the impact is roughly 1 tester and 1 developer.
• Developer writes code with bug. Bug isn't found because tests dont cover it yet. Developers code lives on for weeks. Other code is written which uses that code. Dependant behaviors make their way into other parts of system. Finally, test is written and run which finds bug. Now we've got a problem. Developer has to figure out where the hell the bug is. Then developer has to figure out what the cause is. Then developer has to consider the impact to any code which has been written since the bug was introduced. Developer has to come up with a fix that fixes the original bug but doesn't introduce a new bug.
• developer writes a bug. This but isn't caught until Beta 1. Bug prevents product from installing on 1/8th of real-world customer machines. 1/8th of most important customers have worst possible product experience - they cant install product. All existing CD's with this build need to be destroyed (they're garbage). developer needs to drop everything they're doing (the're working on beta 2 by now), crack open the beta 1 code (it was forked off for stabilization and may already have been removed from beta 2 tree), and propose a fix. developer thinks about everything that might possibly depend on code with bug. developer has to come up with a fix that unbreaks 1/8th of users, but doesn't break any other users.
• bug makes it into shipping product. userbase is now entire planet. bug prevents product from installing on 1/8th of computers. sales expectations are missed by at least 12.5%. Customer satisfaction is down by at least 12.5%. Developer stops working on version n+1, cracks open the code for the shipped product, and begins investigating a fix for SP1. Customers with support contracts are going insane because their business is down. single-customer fixes (QFEs) must be prepared on 24hr schedule to unblock customers. these patches are customer specific and are separate from what gets rolled into SP (the minimum amount of code change to unblock a customer is what we're talking about - not generally suitable for wide deployment). The developer may need to do one QFE for each major customer (they may have slightly different failure modes ?)

I think you get the idea. If a bug makes it out into the public, it will cost microsoft at least $100,000, at a minimum.

So, do you think bugs make it into the code because the emphasis is on cranking out software quickly, without caring about the quality ?

Re:Security

[dexterpexter]

I absolutely agree with every point in your bulleted list. But the short answer is yes, I do believe that bugs make it into code because of emphasis on cranking out software quickly. It would seem illogical to do so, true, but the sad truth is that it happens and I have watched in horror as it has happned at the place at which I work. When the CEO comes in screaming "ship it! ship it!" and you are given very little alternative, that is exactly what happens. And yes, it does cost more money to repair the bugs later than sooner, but management knows no logic, and developers many times get no say in when their project ships.

Jack Ganssle gave a very nice keynote speech at the recent Boston Embedded Systems Conference that touched on those very same problems. We all know better, but it still happens. And no, not just at M$. However, when you can crank out a new OS every couple of years and the sheep still buy it despite knowing that the OS is unstable, then why not?

Some of the security holes that we have seen come from M$ products (and other products as well!) show the lack of real testing... problems that never should have been seen by the end user.

Implications of this concept:

[Crypto+Gnome]

Terry Pratchett (in his many and various Discworld novels) overed this quite clearly.

The Patrician privatised everything.
I mean everything
All the usual goings on in a big city (eg crime) were arranged much like insurance is today (in our world).

Unfortunately (you knew I was going to say that).... The Fire Department got into the insurance business (have to raise money somehow) - specifically FIRE insurance.

This ended up with them having such pleasant conversations (amongst themselves) while walking down the main business streets.

My My. Such lovely Old Buildings. Wonderful WoodWork. Would be such a shame if one of them should catch fire. Would prolly burn most of the city down. Oh Dear! What a disgrace that would be.

Basically, in our world, most people recognise that such a situation (ie charging to fix something that you should not have broken in the first place) would very rapidly lead to (essentially) rampant wholesale uncontrolled extortion.

If a company were to charge you for security and other bug fixes, they would then have a strong financial incentive to produce shoddy bug ridden software and frequent updates.

Product quality would decrease, and administration overhead would increase.

It's the same issue with charging for software subscriptions. What is their incentive to produce another updated version with new features? After all they've already got your money.

A Software Subscription (with ALL updates FREE for 5 YEARS !!!!) does nothing more than make software updates come out once every 5 years.