on Wed, Nov 26, 2003 at 12:07:05AM -0800, Tom ([EMAIL PROTECTED]) wrote: > > Paul Johnson wrote: > > >Non-issue if you don't use Windows. > > This is totally piling on, but given this recent security compromise, > I think the whole Linux community needs to reevaluate its "can't > happen here" mentality.
Preface: Paul's response was, IMO, somewhat unwarranted. It's technically correct: if you're not worried about dealing with legacy MS Windows users, you don't need to worry about viruses for GNU/Linux. However, since GNU/Linux makes such an excellent platform for providing web, proxy, email, file, print, data, and other services for legacy MS Windows systems, there _are_ people with a valid interest in virus-scanning solutions, targeting *Microsoft* viruses, but running on GNU/Linux. A few items: - Yes, security matters. - The Debian project compromise, by available (and some unavailable) information wasn't a virus. While a full report is forthcoming, the general outline appears to be that a Debian developer's system was compromised (how exactly isn't clear), the SuckIT rootkit installed on his system (this is a particularly nefarious kernel-space rootkit which leaves no filespace evidence, though it can be detected by looking at /proc files), and from there, several Debian servers accessed. Keyloggers, common passwords (you *really* shouldn't re-use passwords on different systems), and some other bad habits factored in heavily. - Specifically: it doesn't appear that there was a virus or worm component to the exploit(s) (though my information is incomplete and analysis remains underway) -- key defining point that one system was compromised and automatically propagated the compromise to others. Rather, social and/or technical cracking techniques were applied, a rootkit used to leverage the exploit, and guided analysis used to then target Debian Project (and possibly other) systems for further compromise. Contrast this to, say, the Microsoft Slammer worm, in which a 376 byte UDP packet saturated the _entire_ Internet within 10-15 minutes, or the Swen and SoBig worms, which dumped thousands, or tens of thousand, or hundreds of thousands of emails daily on individuals and sites. GNU/Linux has a security profile. It's generally markedly different from legacy MS Windows. Best bet: focus on the actual threats _your_ environment faces. - Yes, I expect the security picture regarding GNU/Linux to worsen as more users adopt the platform. I don't think viruses and worms, as commonly defined, will characterize the problem. Rather, it's going to be poorly administered boxes and bad security practices writ large. > I don't care if its social engineering or I-Love-You, if the world > comes to an end, that's A Bad Thing. There are few attacks on GNU/Linux, *BSD, or proprietary unices which are of the "world comes to an end" variety. Most (but not all) software is designed with security in mind, the overall architecture is radically different from legacy MS Windows, and even in wide adoption, the environment is likely to be far more heterogeneous than the current Win32 monoculture. > It's only going to get worse as Linux gets more popular. There were > dozens of Microsoft disasters before the mainstream press and the > general public noticed. And the response to these has been to thumb the dike. Leaks have been plugged, but the overall infrastructure hasn't been overhauled. And it's this infrastructure which is the problem: little privilege separation, pervasive cross-application scripting, commingling of "code" and "data", deeply pathological complex relationships between applications and OS making patching tedious and error prone, and a highly uniform OS and applications base, which lead to the problems. Compounded heavily by a culture which didn't "get security" until the past two years, despite repeated and significant warnings that this is and would be a worsening problem. By contrast, the free software community operates on a basis of full and timely disclosure, preemptive security measures (code audits, several independent hardening efforts from OpenBSD to SELinux), and in general takes security seriously. Not always seriously enough, but if there is a problem people speak up about it. And there aren't (yet) $6 billion marketing budgets to plaster over the disturbance. Most major distros now have systems which greatly facilitate the updating of systems, Debian more so than most. > Linux is long overdue for a major security black eye. It's going to > suck when it happens. There will be problems. There have been problems. They will likely be largely localized (affecting a subset of users and systems), disclosed fully, and rapidly patched and/or addressed. It's possible that popularization of GNU/Linux will eventually take it beyond the sensible design roots it's historically been based in (and I see some warning signs). But for the most part, engineers, not marketers, have final say, and tend to address problems. > I think all Linux devs, from Linus on down, need to stop and think > very seriously about what can be done to preemptively mitigate the > inevitable embarrassments which are sure to come (soon). I think that many do. I think your fears are somewhat misplaced. The advice is still valid. Peace. -- Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? ARM Computer: Customer Service Hell On Earth http://lists.svlug.org/pipermail/svlug/2001-November/038616.html
pgp00000.pgp
Description: PGP signature
