Re: Re:Linux Security

[awilliam@xxxxxxxxxxxxx]

>>>Does anybody know what the deal is behind the recent rash of 
articles about
>>>Linux, Open Source, and security?  Any educated thoughts on the 
matter?  The
>>>lack of eloquent rebuttals to these articles is beginning to fray 
my rope a
>>>bit.~
>>
>>Can you point me to some artciles?  I haven't seen a "rash" but 
maybe I
>>haven't been lookin in the right place.  One problem may be that 
people
>>assume "their" Linux box is secure, because Linux has lots of 
security
>>features,  if you don't use them your no better off then under Wfwg.
>This is the straw that broke the camel's back.
>http://www.nytimes.com/library/tech/00/03/biztech/articles/30tsc-lin
ux.html
> So far, this is the only intelligent rebuttal I've yet read, but I 
don't think
> it was published by an organization as well-circulated as the NYTimes:
> http://securityportal.com/direct.cgi?/closet/closet20000329.html
> I've been reading similar articles for most of the week now about how 
OSS is
> never going to cut it with Linux. Perhaps I'm just now noticing the 
frequency
> of this FUD?

I don't know if it's FUD or not.  There seem to be a lot of people who 
just don't
get it.  I have people say "How can you use Linux, there are no 
applications?" I
tell them they're are lots of apps, but the distribution mechanism is 
totally
different,  the Internet instead of Best Buy. Gnu is fundamentally a 
different
system then commercial software, and it really confuses a lot of 
people.

Excerp:
In addition, businesses often bring in outside consultants to maintain 
the code.
That presents another opportunity for a breach of security, Ulsch 
says. 
Rebuttal:
For one this is true of lots of code not just Linux,  our 4gl apps on 
informix
are maintained by outside consultants.  Second I've never heard of 
companies
hiring consultants to change the code of "Linux",  they're changes 
would be
out of the mainstream and lost at the next upgrade unless they were 
submited
back to community where they would be reviewed as critically as any 
other code.
Excerp:
"Before Internet banking and the World Wide Web, information was more
secure. A dog, a guard and a gun and you were all set," he says. "If 
Linux 
security is ignored, it is a looming crisis."
Rebuttal:
Really?  And if I ignore the security issues of NT?  This statement 
really
brings into question the intelligence of the author.
Excerp:
"This is a double-edged sword," says Scott Hissam, a member of 
Carnegie
Mellon's Software Engineering Institute. "The bad guys have access to 
the
same code as the creators. They can use that information to exploit 
the code
and make it do what they want it to do.
Rebuttal:
And the good guys can use the code to improve the system and FIX the 
problems instead of relying on some mother company to obscure or
hide the problem.  With good code the bad guys have little if anything
to work with.
Excerp:
But Ed Roback, the acting chief of the computer security division at 
the
National Security Institute, has reservations. "If you're in a large
organization, you have people modifying the code because they can," he
says. "So you could have local variations in the code. The 
modifications could
be introducing vulnerabilities themselves. It's also conceivable that 
folks could
insert malicious code." Malicious code can lead to a system halt, or 
internal
libraries of information being replaced.
Rebuttal:
GNU is not a "large organization" it is a truly humongous organization 
with
an effective system of peer review.  I do not believe some can just 
insert
"malicious code",  certainly not into the kernel anyway.  Some code 
authors
can't even get Linux to accept their drivers.  And as for "local 
variations",
I can't remember the last time I went playing around in the kernel 
source
to make it's behavior appropriate to my enviroment,  if someone does 
then
shame on them.  I doubt it happens much.  Poorly configured services I 
am
sure are rampant, but that is not an OS specific issue at all,  I can 
assure 
anyone of that.
Excerp:
"You have to assume that if there is a vulnerability posted on a site, 
there has
to be an attack script," Roback says. An attack script is a program 
that
allows the outsiders to hack a program's code. "You could correct 
them, but then
there are vulnerabilities to that." 
Rebuttal:
Does this guy (the NSA dude) have a college education, how about Logic 
101.  I
agree a vulnerability should assume to be exploitable,  but to imply 
that the
fix is itself is inherently vulnerable too just doesn't make any 
sense.  It might be,
but it might not.  If by allowing telnet access from the Internet by 
system is
vulnerable, so I setup in hosts.deny that noone can connect via telnet 
except one
internal host,  then according to him I'm still vulnerable to telnet 
attacks from
the Internet.  Eh?
Excerp:
The National Infrastructure Protection Center publishes CyberNotes, 
which
itemizes compromises in computer software and hardware. Among those 
listed
as high risk are holes in two servers made by SuSE Linux of Germany 
that
allow a malicious user to gain unauthorized access to files. A 
loophole in a
Linux server from Debian makes it possible for hackers to compromise 
files
within that server. Patches for both problems are posted on the 
companies'
Web sites. 
Rebuttal:
Okay, with the phrase "servers make by SuSE" this guy shows he has NO 
CLUE
how GNU/Linux is put together.  And patches are available, but 
remember the
NSA said that if you apply patches you're still vulnerable.  Sheesh.  
I suspect this
clueless chap took what the NSA said out of context, as I don't think 
they are that
dumb.
Excerp:
Hackers, of course, don't draw their boundaries around Linux products.
 Microsoft's Windows NT server, for example, is susceptible to an 
attack in
which the perpetrator can obtain and use lists of users' names for 
attacks on
other systems. There was no patch for this problem as of Feb. 16, 
according to
the NIPC. 
Rebuttal:
Thank you.  I find it odd that he states you'll get a list of user 
names for attacks
on "other" systems?  Seems like a user lists would really be only good 
against a
machine in the Domain it came from.
Excerp:
Phil Rueppel, an analyst at Deutsche Bank Alex Brown, says problems
within the Linux code can be found and quickly resolved. "There's no 
reason
to believe that the source code can't be made as bulletproof as the 
legacy
systems," he says. 
Rebuttal:
Were legacy system's bulletproof?  
Excerp:
But, "we don't know right now whether it will save money," he says. 
"You
could say that the jury is still out on how secure Linux code is." 
Rebuttal:
On security issues, the jury needs to be vigilant and educated,  it 
will never be "in."
Excerp:
For now, many businesses are looking to cut costs first and ask 
security
questions later. But Ulsch of Pricewaterhouse Coopers warns: "I'm not 
a
believer that Linux is a cost-saver if you factor in all the security 
issues. If you
go into this for cost savings, you're going in for the wrong reason." 
Rebuttal:
This statement is so vague I don't even understand what it means.  The 
cost
of "security issues" is the salary of a decent administrator.  I can't 
think of
any platform that doesn't need someone to tend and groom it.
Overal response:
I think this article is written by someone out of their league with 
little if any real understanding of the fundamental issues involved 
with this topic.  I suspect he has done a diservice to the people he 
interviewed by clipping their comments, thus taking them out of their 
original context.  He is correct that a Linux distribution (what he's 
really talking about, not Linux, or the OS/GNU methodology) is not a 
solution to all problems.  Charity and mercy aren't complete solutions 
to world poverty either,  but I hope they stay around awhile.