Posted on 01/10/2004 12:20:46 PM PST by Bush2000
Flaws raise red flag on Linux security
But many users remain confident about the security of the open-source environment
Story by Jaikumar Vijayan
JANUARY 09, 2004 ( COMPUTERWORLD ) - A report earlier this week about a critical flaw in the Linux kernel was the latest in a series of recently discovered security problems with the popular open-source operating system. But many users were unfazed by the report and said Linux remains a solid and secure environment for running enterprise applications.
Poland-based iSec Security Research on Monday said it had found a critical flaw in a function used to manage virtual memory on Linux systems (see story). The flaw affects the 2.2, 2.4 and 2.6 versions of the Linux kernel, according to iSec.
The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.
The news follows the discovery of a similar flaw in the Linux 2.4 kernel last fall. In November, unknown attackers used that flaw to take down several servers belonging to the Debian Project, which produces a noncommercial Linux distribution. And last month, an attack on the Gentoo Linux Project compromised a server that was being used to download copies of Gentoo's Linux source code by users.
The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J.
"The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them."
Even so, Linux remains a secure environment, said John Cahill, senior network security engineer at Piedmont Natural Gas in Charlotte, N.C.
"I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.
"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.
Linux distributors in general are also doing a better job of shipping products that have nonessential services disabled by default, said Paul Schmel, adjunct information security officer at the University of Texas at Dallas.
"The biggest plus that Linux has is that it's designed to allow users to be users and not administrators," Schmel said. "What Linux has that Windows doesn't have is ease of configuration from an administrator's standpoint. Stopping and starting services, configuring services to only respond on certain ports and interfaces is dramatically easier than it is with Windows."
I think what he's getting at is that this is an exploit requiring physical presence, as opposed to the plethora of remote Windows exploits. This and the exploit requiring root running, which almost no machine does for any length of time if at all (a real almost no one, not your 2+ million almost no one), are the only two anyone mentions against OS X. Given the remote likelihood of either of these exploits being successful, as opposed to all of the easily exploited remote Windows flaws, it's not a good thing for a Windows zealot to compare his security against OS X.
Which means likely over two million more unsecure-by-design computers on the net each year. That's currently about 20% of the installed Mac OS X base. It makes for a lot of potential DDOS drones, and they're configured the same way as the millions of OEM machines which follow Microsoft's lead.
If you're installing your own box, you need some fundamental skills
Those with the skills are likely <1%. We're talking millions of average home users here. You can't expect Joe Blow to become a computer expert just to be able to start using his computer. He wants to turn it on and do what he wants to, while being relatively secure. This is what OS X does and Windows doesn't.
But, on its face, that doesn't mean that the fundamental design of Windows is deficient. On that point, you're dead wrong.
Microsoft designed Windows, Microsoft therefore designed the accounts and privilege setups, therefore, it is part of the design of Windows. It is a design problem that can be mitigated by those who know what they are doing, sort of like the Mac LDAP exploit (however, that can be completely stopped by unchecking one box).
I'm trying to visualize some redneck Klan leader declaring "I'd still stand Debian, Mandrake, or RedHat against Microsoft." I really am. But I just keep dissolving into giggles....
SO WHAT??!!
Windows Babe, that's the equivalent of saying that sometimes the wheels fall off of General Motors' cars but, gee, it only affects less than 2% of all car buyers. Nothing to worry about.
That kind of failure rate in many products would put any other company OUT OF BUSINESS!
On another thread you got all hot and bothered because a security expoit on Macintosh OSX MIGHT have effected fewer than 20 users... and here you blythely dismiss 1.5 MILLION users who are at risk.
BUSH, this IS Microsoft's fault. THEY designed it. THEY package it. THEY support it. THEY sell it. THEY provide the default installation packages for OEMs. THEY can fix it. (Maybe.)
Mure BUSH-SH*T, Bush.
First of all, the hostile LDAP server has to be ALREADY present on the network when I connect my computer. It then has to connect to the hostile LDAP server in place of the intended LDAP server. The hostile computer installs a new user on the target computer. The exploit can only be utilized on the NEXT time the same computer logs onto that network...
This is a very unlikely series of events to occur... and in fact, no one has reported that it HAS.
You might get a kick out of Bush's shuckin' and Jivin' as he dodges and dances his way around the subject, eternally moving the goalposts, defining the discussion only to his viewpoints, and spewing logical inconsistencies everywhere.
The following is my response to Bush2000's attempt to blame the USERS and the Computer manufacturers for Microsoft's shortcomings in security.
Bush2000 bloviated:
If you're installing your own box, you need some fundamental skills -- just as you need some fundamental skils to perform brain surgery or litigate a case in court -- and if you're ignorant of critical aspects of security, it's your own fault. Don't blame the hammer because you let somebody else hit you in the head with it.
Swordmaker's response:
I think a metaphor of a deadbolt lock might have been a better choice in this instance, Bush, but I will explain this using your metaphorical hammer. I shall call it the parable of the hammer.
People are complaining that, MicroBop, the maker of our metaphorical hammer have produced a hammer that has a loose head... which slips off and hits them in the noggin when they attempt to use it.
This is called A PRODUCT DEFECT which may arise from a manufacturing error at the MicroBop factory or it may arise from a design flaw created by MicroBop's hammer engineers. Both of these can result in a situation called PRODUCT LIABILITY... and the courts will lay the blame at the door of the manufacturer... which means, Bush, that it is MicroBop's fault.
Some manufacturing errors are quality control issues or merely statistical aberrations. These can be addressed at the MicroBop factory by better management. However, each and every hammer made by MicroBop has the same issue: the head flies off when someone tries to hit a nail with it. It is unlikely to be a manufacturing error.
On investigation, it was discovered that MicroBop DESIGNED the head-handle interface with a large gap. That is called A PRODUCT DESIGN FLAW. To fix this problem requires a REDESIGN to correct the problem.
Unfortunately, the MicroBop didn't want to spend the money to do this properly. So they decided to "update" the hammers to "patch" the problem. They provided a "Hammer Peen Safety Patch" which was a small wedge intended to be hammered into the gap between the front of the hammer head and the handle. Hammer heads were STILL flying off and injuring their owners, so they released a "Hammer Claw Safety Patch" intended to be driven into the gap at the back of the head toward the claw. This was still inadequate, and the "Hammer Left Cheek Safety Patch" and the "Hammer Right Cheek Safety Patch" were quickly released.
When these too failed to correct the inherent DESIGN FLAW, MicroBop sent out instructions to users to take their hammers to Certified MicroBop "experts" to alter the hammer privileges of the users. Under this program, users will only be allowed to use the hammers to tap in thumbtacks.
Sophisticated, trained, expert, professional hammer users knew about the necessity of filling MicroBop's hammer head-handle gap with super-strength epoxy before it was possible to use the hammer safely. But these hammers were also intended for consumer level users... users who merely wanted to fix the fence, hang a picture, maybe build garden shed. These users didn't even know the terms "peen" and "cheek" and "claw" or that they defined parts of a hammer.
Once, MicroBop hammers were sold with instruction manuals and operation directions. No longer, it wasn't economical... and nobody read the f**kin' manuals anyway.
MicroBop's technical support department has been outsourced to Bangladesh, and the "technicians" you got on the phone were limited to "Place nail on wood, hit with hammer!" and "Hook Nail in nitch in Craw, and lever back-wards." They didn't know about the epoxy fix... and if it is used, you violate your MicroBop warranty!
No matter what they tried, the MicroBop hammer was still defective. It needed a complete REDESIGN to solve the problem.
No matter how much you sputter and spin, you cannot transfer the responsibility for the DEFECTIVELY DESIGNED AND PRODUCED hammer from MicroBop to the user.
On the other hand, some of us prefer to use QUALITY hammers... such as the MacinSmash, or the publicly designed and manufactured LiNOX.
Swordmaker, you hit the nail on the head with that one (pun intended).
You must have been using one of those MacinSmash or LiNOX hammers. It's a sure bet it wasn't a MicroBop.
People like Bush2000 like to blame the user for Microsloth's many shortcomings, claiming that people need a certain level of expertise to install/maintain Microsloth products. As a former hardware/software engineer, former IT director, former IT security director and IT security consultant, who has had to work with every conceivable OS, I must admit that he may be right.
While a well intentioned 6-year old could install and maintain a Mac and a well intentioned 10-year old could install and maintain most commercial LINUX variants, it takes a MCSE/MCSA with at least 5 years post certification experience to install and maintain a Microsloth OS at the same level of proficiency.
But, don't get me wrong. I don't want Microsloth to fix their myriad problems. If they did, I and thousands of consultants would be out of work, since all the other OSes in the world don't have enough bugs to keep even 10% of us consultants busy. On the other hand, I just can't bring myself to lie to clients. When they are frustrated at all the problems that they have and ask me what kind of computer I use, I have to admit that I use Macs, with a LINUX server. I have "effectively" lost two customers that way in the last year. Although several of my clients know that I use Macs and LINUX, those two actually converted their whole office to Macs (both already had UNIX servers). I still call or stop in to see both of them, regularly. But, outside of monitoring their UNIX log files, for signs of hacker activity, there is little else to do. Now that they no longer have to deal with the vagaries of Microsloth, even their receptionist can maintain her own desktop system and I have less work. Fortunately, I have other sources of income and don't miss it.
None of the massive worldwide worms that affected ONLY microsoft products were microsoft's fault. Just because the OS is so broken, that browsing the web is a dangerous excercise is no reason not to use windows, or at least that is the claim.
It is the user's fault for clicking on a link in google that takes him to a malicious site. It's the user's fault if his computer has been reconfigured as a spambot because the operating system is so sievelike in it's security.
The fact that microsoft, a multibillion dollar company was hit hard by 'code-red' and 'nimda' is beside the point. One can hardly expect microsoft to be able to keep up with patching its own systems. Noone else seems to be able to either.
It's the OEM's fault that the OS is vulnerable to viruses, worms, and other assorted threats because they didn't lock down the computer and make it unusable to the intended purchaser. After all, microsoft doesn't have to field the support calls for their broken crappy operating system. That's the OEM's job, who, given todays competetive market, probably made less off the PC than microsoft did.
It's not microsoft's fault that windows crashes. IT's always those crappy third-party drivers. Microsoft only produces the highest quality programs, which is easily shown by the fact that they only have to release patches 2 or 3 times a month on their core products.
Get with the program Swordmaker. It's never microsoft's fault. Some how or another, no matter what the problem is, it always comes down to those evil communist open source supporters and programmers.
That also doesn't take into account the annual (or most often) re-installs that windows requires to not slowly grind itself to a halt.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.