Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Flaws raise red flag on Linux security
ComputerWorld ^ | JANUARY 09, 2004 | Jaikumar Vijayan

Posted on 01/10/2004 12:20:46 PM PST by Bush2000

Flaws raise red flag on Linux security

But many users remain confident about the security of the open-source environment

Story by Jaikumar Vijayan

JANUARY 09, 2004 ( COMPUTERWORLD ) - A report earlier this week about a critical flaw in the Linux kernel was the latest in a series of recently discovered security problems with the popular open-source operating system. But many users were unfazed by the report and said Linux remains a solid and secure environment for running enterprise applications.

Poland-based iSec Security Research on Monday said it had found a critical flaw in a function used to manage virtual memory on Linux systems (see story). The flaw affects the 2.2, 2.4 and 2.6 versions of the Linux kernel, according to iSec.

The vulnerability could allow attackers to take administrative control of compromised systems and run attack code of their choice, an iSec advisory stated. ISec claimed that it had developed and successfully tested code that was capable of exploiting the flaw, although it added that actually launching such an attack wouldn't be easy.

The news follows the discovery of a similar flaw in the Linux 2.4 kernel last fall. In November, unknown attackers used that flaw to take down several servers belonging to the Debian Project, which produces a noncommercial Linux distribution. And last month, an attack on the Gentoo Linux Project compromised a server that was being used to download copies of Gentoo's Linux source code by users.

The rise in such incidents can be attributed to Linux's growing popularity, which makes it a more attractive target for malicious attackers, said David Wreski, CEO of Linux security vendor Guardian Digital Inc. in Allendale, N.J.

"The underground hacker community is very interested in Linux as a potential target," he said. "Because of the accessibility of the source code to everyone, it provides an equal opportunity for malicious attackers to find vulnerabilities and ways to exploit them."

Even so, Linux remains a secure environment, said John Cahill, senior network security engineer at Piedmont Natural Gas in Charlotte, N.C.

"I would say it is more secure than Microsoft and other environments because the code is looked over by so many people and it's so widely available that any vulnerabilities can be quickly identified and patched," Cahill said. Piedmont uses Linux for several e-mail-related functions and is considering its use for antispam purposes.

"There's not very much we've needed to do to secure Linux [applications]," said Joe Poole, manager for technical support at Boscov's Department Stores LLC in Reading, Pa. The company runs several virtual Linux servers on its mainframes that are protected by network and internal firewalls. All nonessential services, such as file transfers and Telnet, have been disabled. But there has been no need for the kind of constant patching and maintenance required for Windows, Poole said.

Linux distributors in general are also doing a better job of shipping products that have nonessential services disabled by default, said Paul Schmel, adjunct information security officer at the University of Texas at Dallas.

"The biggest plus that Linux has is that it's designed to allow users to be users and not administrators," Schmel said. "What Linux has that Windows doesn't have is ease of configuration from an administrator's standpoint. Stopping and starting services, configuring services to only respond on certain ports and interfaces is dramatically easier than it is with Windows."


TOPICS: Business/Economy; Culture/Society; Front Page News; Technical
KEYWORDS: computersecurity; linux; lowqualitycrap
Navigation: use the links below to view more comments.
first previous 1-20 ... 121-140141-160161-180181-186 next last
To: Bush2000
If I plug my notebook (running a hostile LDAP server) into your network, you're toast if you use Mac OSX out of the box. I can not only own your box but I can destroy it.

I think what he's getting at is that this is an exploit requiring physical presence, as opposed to the plethora of remote Windows exploits. This and the exploit requiring root running, which almost no machine does for any length of time if at all (a real almost no one, not your 2+ million almost no one), are the only two anyone mentions against OS X. Given the remote likelihood of either of these exploits being successful, as opposed to all of the easily exploited remote Windows flaws, it's not a good thing for a Windows zealot to compare his security against OS X.

141 posted on 01/12/2004 9:13:13 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 137 | View Replies]

To: Bush2000
Uh, dude. Use your brain for something other than a hat rack. I just showed you definitive proof that retail sales account for less than 2% of Windows sales.

Which means likely over two million more unsecure-by-design computers on the net each year. That's currently about 20% of the installed Mac OS X base. It makes for a lot of potential DDOS drones, and they're configured the same way as the millions of OEM machines which follow Microsoft's lead.

If you're installing your own box, you need some fundamental skills

Those with the skills are likely <1%. We're talking millions of average home users here. You can't expect Joe Blow to become a computer expert just to be able to start using his computer. He wants to turn it on and do what he wants to, while being relatively secure. This is what OS X does and Windows doesn't.

But, on its face, that doesn't mean that the fundamental design of Windows is deficient. On that point, you're dead wrong.

Microsoft designed Windows, Microsoft therefore designed the accounts and privilege setups, therefore, it is part of the design of Windows. It is a design problem that can be mitigated by those who know what they are doing, sort of like the Mac LDAP exploit (however, that can be completely stopped by unchecking one box).

142 posted on 01/12/2004 9:22:30 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 140 | View Replies]

To: Bush2000
BTW, if you think I'm a rabid anti-Windows zealot, I am the one who posted this positive Microsoft thread. I give Microsoft credit where credit is due, but nowhere else.
143 posted on 01/12/2004 11:27:12 AM PST by antiRepublicrat
[ Post Reply | Private Reply | To 140 | View Replies]

To: Bush2000
LOL If I plug a laptop running windows server with AD running as a domain controller I can shred your whole domain to the point where it has to be rebuilt whats your point?
144 posted on 01/12/2004 12:37:08 PM PST by N3WBI3
[ Post Reply | Private Reply | To 137 | View Replies]

To: Bush2000
You're so cute when you try to peddle basic fallacies (e.g. comparing an entire package of OS and utility software on the Linux side with the OS only on the Windows side).
145 posted on 01/12/2004 1:56:35 PM PST by steve-b
[ Post Reply | Private Reply | To 8 | View Replies]

To: Sockdologer
"I'd still stand Debian, Mandrake, or RedHat against microsoft." Of course you would. That's the nature of bigotry.
The nature of bigotry is to stand Debian, Mandrake or Redhat against Microsoft?

I'm trying to visualize some redneck Klan leader declaring "I'd still stand Debian, Mandrake, or RedHat against Microsoft." I really am. But I just keep dissolving into giggles....

146 posted on 01/12/2004 2:00:55 PM PST by steve-b
[ Post Reply | Private Reply | To 126 | View Replies]

To: Bush2000
So what. That's fewer than 2% of all users who purchased Windows.

SO WHAT??!!

Windows Babe, that's the equivalent of saying that sometimes the wheels fall off of General Motors' cars but, gee, it only affects less than 2% of all car buyers. Nothing to worry about.

That kind of failure rate in many products would put any other company OUT OF BUSINESS!

On another thread you got all hot and bothered because a security expoit on Macintosh OSX MIGHT have effected fewer than 20 users... and here you blythely dismiss 1.5 MILLION users who are at risk.

BUSH, this IS Microsoft's fault. THEY designed it. THEY package it. THEY support it. THEY sell it. THEY provide the default installation packages for OEMs. THEY can fix it. (Maybe.)

147 posted on 01/12/2004 5:53:19 PM PST by Swordmaker
[ Post Reply | Private Reply | To 136 | View Replies]

To: Bush2000
If I plug my notebook (running a hostile LDAP server) into your network, you're toast if you use Mac OSX out of the box. I can not only own your box but I can destroy it.

Mure BUSH-SH*T, Bush.

First of all, the hostile LDAP server has to be ALREADY present on the network when I connect my computer. It then has to connect to the hostile LDAP server in place of the intended LDAP server. The hostile computer installs a new user on the target computer. The exploit can only be utilized on the NEXT time the same computer logs onto that network...

This is a very unlikely series of events to occur... and in fact, no one has reported that it HAS.

148 posted on 01/12/2004 5:59:22 PM PST by Swordmaker
[ Post Reply | Private Reply | To 137 | View Replies]

To: Bush2000; antiRepublicrat; LasVegasMac; Action-America; eno_; N3WBI3; zeugma; TechJunkYard; ...
Bush2000 is waxing hyperbolic on the benefits of Windows over all Linux, Unix and Mac OSX systems again! Now he claims that NONE of the SECURITY ISSUES in Windows is Microsoft's fault. Check out the thread.

You might get a kick out of Bush's shuckin' and Jivin' as he dodges and dances his way around the subject, eternally moving the goalposts, defining the discussion only to his viewpoints, and spewing logical inconsistencies everywhere.

The following is my response to Bush2000's attempt to blame the USERS and the Computer manufacturers for Microsoft's shortcomings in security.

Bush2000 bloviated:

If you're installing your own box, you need some fundamental skills -- just as you need some fundamental skils to perform brain surgery or litigate a case in court -- and if you're ignorant of critical aspects of security, it's your own fault. Don't blame the hammer because you let somebody else hit you in the head with it.

Swordmaker's response:

I think a metaphor of a deadbolt lock might have been a better choice in this instance, Bush, but I will explain this using your metaphorical hammer. I shall call it the parable of the hammer.

People are complaining that, MicroBop, the maker of our metaphorical hammer have produced a hammer that has a loose head... which slips off and hits them in the noggin when they attempt to use it.

This is called A PRODUCT DEFECT which may arise from a manufacturing error at the MicroBop factory or it may arise from a design flaw created by MicroBop's hammer engineers. Both of these can result in a situation called PRODUCT LIABILITY... and the courts will lay the blame at the door of the manufacturer... which means, Bush, that it is MicroBop's fault.

Some manufacturing errors are quality control issues or merely statistical aberrations. These can be addressed at the MicroBop factory by better management. However, each and every hammer made by MicroBop has the same issue: the head flies off when someone tries to hit a nail with it. It is unlikely to be a manufacturing error.

On investigation, it was discovered that MicroBop DESIGNED the head-handle interface with a large gap. That is called A PRODUCT DESIGN FLAW. To fix this problem requires a REDESIGN to correct the problem.

Unfortunately, the MicroBop didn't want to spend the money to do this properly. So they decided to "update" the hammers to "patch" the problem. They provided a "Hammer Peen Safety Patch" which was a small wedge intended to be hammered into the gap between the front of the hammer head and the handle. Hammer heads were STILL flying off and injuring their owners, so they released a "Hammer Claw Safety Patch" intended to be driven into the gap at the back of the head toward the claw. This was still inadequate, and the "Hammer Left Cheek Safety Patch" and the "Hammer Right Cheek Safety Patch" were quickly released.

When these too failed to correct the inherent DESIGN FLAW, MicroBop sent out instructions to users to take their hammers to Certified MicroBop "experts" to alter the hammer privileges of the users. Under this program, users will only be allowed to use the hammers to tap in thumbtacks.

Sophisticated, trained, expert, professional hammer users knew about the necessity of filling MicroBop's hammer head-handle gap with super-strength epoxy before it was possible to use the hammer safely. But these hammers were also intended for consumer level users... users who merely wanted to fix the fence, hang a picture, maybe build garden shed. These users didn't even know the terms "peen" and "cheek" and "claw" or that they defined parts of a hammer.

Once, MicroBop hammers were sold with instruction manuals and operation directions. No longer, it wasn't economical... and nobody read the f**kin' manuals anyway.

MicroBop's technical support department has been outsourced to Bangladesh, and the "technicians" you got on the phone were limited to "Place nail on wood, hit with hammer!" and "Hook Nail in nitch in Craw, and lever back-wards." They didn't know about the epoxy fix... and if it is used, you violate your MicroBop warranty!

No matter what they tried, the MicroBop hammer was still defective. It needed a complete REDESIGN to solve the problem.

No matter how much you sputter and spin, you cannot transfer the responsibility for the DEFECTIVELY DESIGNED AND PRODUCED hammer from MicroBop to the user.

On the other hand, some of us prefer to use QUALITY hammers... such as the MacinSmash, or the publicly designed and manufactured LiNOX.

149 posted on 01/12/2004 8:21:28 PM PST by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 140 | View Replies]

To: Swordmaker
Sir, your bardic talents are legend.
150 posted on 01/12/2004 8:32:28 PM PST by Woahhs
[ Post Reply | Private Reply | To 149 | View Replies]

To: Swordmaker
ROTFLMAPO!

Swordmaker, you hit the nail on the head with that one (pun intended).

You must have been using one of those MacinSmash or LiNOX hammers. It's a sure bet it wasn't a MicroBop.

People like Bush2000 like to blame the user for Microsloth's many shortcomings, claiming that people need a certain level of expertise to install/maintain Microsloth products. As a former hardware/software engineer, former IT director, former IT security director and IT security consultant, who has had to work with every conceivable OS, I must admit that he may be right.

While a well intentioned 6-year old could install and maintain a Mac and a well intentioned 10-year old could install and maintain most commercial LINUX variants, it takes a MCSE/MCSA with at least 5 years post certification experience to install and maintain a Microsloth OS at the same level of proficiency.

But, don't get me wrong. I don't want Microsloth to fix their myriad problems. If they did, I and thousands of consultants would be out of work, since all the other OSes in the world don't have enough bugs to keep even 10% of us consultants busy. On the other hand, I just can't bring myself to lie to clients. When they are frustrated at all the problems that they have and ask me what kind of computer I use, I have to admit that I use Macs, with a LINUX server. I have "effectively" lost two customers that way in the last year. Although several of my clients know that I use Macs and LINUX, those two actually converted their whole office to Macs (both already had UNIX servers). I still call or stop in to see both of them, regularly. But, outside of monitoring their UNIX log files, for signs of hacker activity, there is little else to do. Now that they no longer have to deal with the vagaries of Microsloth, even their receptionist can maintain her own desktop system and I have less work. Fortunately, I have other sources of income and don't miss it.

 

151 posted on 01/12/2004 9:13:47 PM PST by Action-America (Best President: Reagan * Worst President: Klinton * Worst GOP President: Dubya)
[ Post Reply | Private Reply | To 149 | View Replies]

To: Swordmaker
Not sure exactly why I was pinged on this post. Anyway, looks like you have an OS you like. Good for you.

152 posted on 01/12/2004 10:12:18 PM PST by mikegi
[ Post Reply | Private Reply | To 149 | View Replies]

To: steve-b
You're so cute ...

Sorry, stevie. I'm straight.
153 posted on 01/13/2004 1:11:38 AM PST by Bush2000
[ Post Reply | Private Reply | To 145 | View Replies]

To: Swordmaker
On another thread you got all hot and bothered because a security expoit on Macintosh OSX MIGHT have effected fewer than 20 users... and here you blythely dismiss 1.5 MILLION users who are at risk. BUSH, this IS Microsoft's fault. THEY designed it. THEY package it. THEY support it. THEY sell it. THEY provide the default installation packages for OEMs. THEY can fix it. (Maybe.)

Nope, it's an OEM issue.
154 posted on 01/13/2004 1:13:20 AM PST by Bush2000
[ Post Reply | Private Reply | To 147 | View Replies]

To: Swordmaker
People are complaining that, MicroBop, the maker of our metaphorical hammer have produced a hammer that has a loose head... which slips off and hits them in the noggin when they attempt to use it.

Completely bogus analogy.
155 posted on 01/13/2004 1:16:20 AM PST by Bush2000
[ Post Reply | Private Reply | To 149 | View Replies]

To: Swordmaker
Mure BUSH-SH*T, Bush. First of all, the hostile LDAP server has to be ALREADY present on the network when I connect my computer.

The attacker already has access to your network. He plugs in his notebook, walks down the hall, and cold boots your box. You're toast.

It then has to connect to the hostile LDAP server in place of the intended LDAP server. The hostile computer installs a new user on the target computer. The exploit can only be utilized on the NEXT time the same computer logs onto that network...

See above: Wash, rinse, repeat.

This is a very unlikely series of events to occur... and in fact, no one has reported that it HAS.

Hardly. Internal attackers are more likely than externals. And, if somebody breaches your security, (a) they're not going to announce it to you, and (b) the organization isn't going to publicize that their security sucks. According to FBI statistics, less than a third of all companies who have been attacked bother to report to authorities. The reason is obvious: Nobody will trust them with their data. So get over it and stop denying reality.
156 posted on 01/13/2004 1:22:34 AM PST by Bush2000
[ Post Reply | Private Reply | To 148 | View Replies]

To: Bush2000
Come into the real world, Bush.
157 posted on 01/13/2004 2:22:38 AM PST by Swordmaker (This tagline shut down for renovations and repairs. Re-open June of 2001.)
[ Post Reply | Private Reply | To 156 | View Replies]

To: Swordmaker
Sword...

Would you want to live the Clintonian lie of having to defend Microsoft?

Imagine what it must be like to get up everyday and know that today might be the Big One, the mother of all Redmond fookoops, the one that costs you your job because you didn't read Security Notice #564654

Imagine spending all that time and money to learn, defend and support what to any casual observer are obviously inferior products.

Imagine defending that product to people who just laugh at you. Or worse, to the people who use it and hate your guts because you don't have the cojones to stand up and demand better. Imagine fearing the day when you report to people who actually DO know better, and aren't scared little mice who take your word for it. (That may be giving Bush2000 too much credit)

Imagine the cognitive dissonance involved in creating your deceptions, not once, but twice. First, so that you can believe them and not succumb to mania, but then constructing arguments (or, more likely attacks) to shut down people who question you

Imagine constructing in your mind the fallacious scaffolding that you won't be found out. Imagine the walls you must construct to allow you to believe that you're not going to be left behind... by linux... or, God help us, Apple

Imagine the envy you would have for people who actually know, accept, and use quality products

It would eventually make you envious and angry, and cause you to lash out unreasonably and to say things that, on their face, are absurd. Like we see so often here.

It's what I call the $8 movie defense, used by so many to defend Clinton. You pay $8 for a movie that absolutely SUCKED, but you're too embarrassed to tell anyone, so you trumble up some nugget of good in it to save face. For Clinton, it was the 'believers', assembled on the White House lawn, who had to stand with him because to do otherwise was to admit they'd been lying to themselves- and us- the whole time

Bush2000 has the dilemma. He (she? it?) can't back out now... the hole is too deep. Whenever I've pointed this out on a thread, Bush2000 has fled or ignored it.

I mean... really. Bush2000 gets his (her?) undies in a bundle over software? And, Microsoft's, at that?
158 posted on 01/13/2004 5:15:16 AM PST by IncPen ( Liberalism: Working for you until all your money is spent.)
[ Post Reply | Private Reply | To 149 | View Replies]

To: Swordmaker
Great post, but you are pretty much wasting your breath on Bush2000. He's such a dedicated gatesbot that he probably has the corporate logo tatooed on his butt.

None of the massive worldwide worms that affected ONLY microsoft products were microsoft's fault. Just because the OS is so broken, that browsing the web is a dangerous excercise is no reason not to use windows, or at least that is the claim.

It is the user's fault for clicking on a link in google that takes him to a malicious site. It's the user's fault if his computer has been reconfigured as a spambot because the operating system is so sievelike in it's security.

The fact that microsoft, a multibillion dollar company was hit hard by 'code-red' and 'nimda' is beside the point. One can hardly expect microsoft to be able to keep up with patching its own systems. Noone else seems to be able to either.

It's the OEM's fault that the OS is vulnerable to viruses, worms, and other assorted threats because they didn't lock down the computer and make it unusable to the intended purchaser. After all, microsoft doesn't have to field the support calls for their broken crappy operating system. That's the OEM's job, who, given todays competetive market, probably made less off the PC than microsoft did.

It's not microsoft's fault that windows crashes. IT's always those crappy third-party drivers. Microsoft only produces the highest quality programs, which is easily shown by the fact that they only have to release patches 2 or 3 times a month on their core products.

Get with the program Swordmaker. It's never microsoft's fault. Some how or another, no matter what the problem is, it always comes down to those evil communist open source supporters and programmers.

159 posted on 01/13/2004 6:12:19 AM PST by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 149 | View Replies]

To: Swordmaker
Then of course, Bush, there are the millions of users who aren't upgrading and are still using '98, 2000, NT, ME, etc. that are still Windows users at risk.

That also doesn't take into account the annual (or most often) re-installs that windows requires to not slowly grind itself to a halt.

160 posted on 01/13/2004 6:20:52 AM PST by zeugma (The Great Experiment is over.)
[ Post Reply | Private Reply | To 130 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-20 ... 121-140141-160161-180181-186 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson