Reflecting On Linux Security In 2003
This has been indeed an interesting year for Linux security. The point of this article is to offer a view on what I believe to be some of the most interesting happenings in 2003.
The Linux experts that offer their view on 2003 are Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of “Real World Linux Security”) and Marcel Gagne (President of Salmar Consulting, Inc. and author of “Linux System Administration – A User’s Guide” and “Moving to Linux”).
Is it patched yet?
When it comes to 2003 I think we can call it “the year of the patch” with the security community paying close attention to what is patched in what period of time. In an interesting column about security fixes, SecurityFocus columnist Hall Flynn notes that he doesn’t understand why Linux vendors that put so much time and money into creating security patches distribute them for free.
Marcel Gagne has a different view of the situation: “My initial reaction to the question of why a company would spend money supplying security fixes is “why shouldn’t they?” It’s called being a good corporate citizen. If you distribute something that is flawed and that flaw may endanger your customer’s data, you have some responsibility to right that oversight. You might distribute EULAs with your software that says “we aren’t responsible to anything that might occur on your system as a result of using this software”, but you still have a “moral” obligation if nothing else.”
“I’m not saying you do this forever, mind you, but over a reasonable period of time. At some point, I expect users to upgrade to newer releases or take some responsibility for patching their own systems. What’s a reasonable period of time? I’d say 34 to 36 months. At some point, any reasonable users should understand that the best way to ensure continued support is to upgrade to something more recent.” Gagne added.
One of the problems with closed source is the inability to sometimes get support for older versions of the software. Gagne notes: “The beauty of the open source model is that an opportunity exists for creating fixes for old releases. Not so for the users of Windows 95 or 98 who have no source code to go back to when the next critical flaw is uncovered. As to charging for fixes, it seems clear to me that this model of doing business already exists in the open source world. If you, as a user, choose to sign up for corporate support, you are in effect paying for patches and security fixes.”
My OS is more secure than yours
As before, this year was full of mixed opinions about whether Linux is more secure than Windows. A survey found developers to be more inclined to Linux than Windows XP, some say Linux is more prone to security problems while others wouldn’t agree.
Back in August Linux was certified by the Common Criteria organization to be used on sensitive computers in the US and that means it’s starting to invade Windows territory. No wonder Microsoft CEO Steve Ballmer is saying that Windows is as secure as Linux.
When asked about Windows vs. Linux security, Gagne says: “Frankly, it seems incredible that this is even open to debate. To suggest that Windows is inherently more or as secure is almost too silly to even comment on. One need only read the newspapers, listen to the radio, watch television or work in an office where Windows is widely used. Of course Linux is more secure, and it has nothing to do with Microsoft’s market penetration. It has to do with a better approach to software development. It doesn’t hurt that at its very core, Linux is designed with security in mind. No need here for launching a security initiative after years of neglect.”
“I don’t want to imply that there is no such thing as a security hole in the Linux world or that worms have never spread from one Linux system to another, but quite frankly, the risks are just not that high. Modern Linux distributions take security very seriously, installing firewalls as part of a standard installation. The open source development model insures that Linux code is open to scrutiny at the most basic level. There is no such openness in the Windows world.” Gagne added.
High-profile breaches
Linux security has been scrutinized in the news lately with high-profile breaches surrounding the Debian Project and Gentoo Linux. Despite these happenings, people are still more worried about the insecurities surrounding Microsoft products and, according to a survey that’s what drives them to open source products.
Bob Toxen said: “Practically speaking, though, these few incidents are really the “Plane Crash” of security problems. By this, I mean that they are news because they are so rare.”
“No known end-users suffered a compromise as a result of these brief compromises. Only a few dozen copies of possibly compromised code were downloaded — at least from the Debian site where statistics were provided. Compare this to the millions of end-user sites that get compromised every few months when a major Microsoft vulnerability is exploited. These far greater numbers of compromised users are the “car wrecks” of the computer security world. Nobody pays any attention to reports of traffic fatalities. They appear buried deep in the newspaper every day. Just flip today’s paper open to the Obituaries. Unlike the flying public, though, most company executives finally have realized that Open Source offers far better security and reliability at a far lower cost than proprietary “solutions”, such as Microsoft. Apache outnumbers IIS about five to one. Almost every large web site and many small ones run Apache on Linux or Unix rather than Bill’s software.” Toxen added.
What about viruses?
After an article about Linux vs. Windows viruses there’s been a heated debate on how many viruses there actually are for the Linux platform and how much more secure people using Linux are than Windows users. What I’ve been thinking about is do Linux users really need an antivirus product?
Gagne said: “My first instinct in replying to this question was to stress the difference between viruses and trojans. Even in the Linux world, it is possible for someone to distribute a program that is actually a trojan horse. It is also possible to leave your system open to something as simple as somebody logging in through any of a variety of open network services. Exploiting too liberal an access policy (ie: no firewall), is not the same thing as a virus that infects your files because you received and opened an email attachment.”
“Do Linux users need an anti-virus program? The short answer is no. Until such a time as someone can demonstrate that Linux represents as great a danger to the networked world as Windows (even on a ‘per capita’ basis), then it’s pointless for Linux users to waste their money. Both Windows and Linux systems should be running a firewall — that will protect you from service exploits. Linux systems, however, they do not need anti-virus programs.” Gagne added.
Windows viruses have an impact on most of Linux users since they get them by e-mail. On this topic Gagne noted: “Despite the fact that I do not run a Microsoft computer in this office, my network is constantly bombarded by Windows viruses of one form or another. Lately, I’ve taken to sending anything with a .pif, .bat, .exe, .scr, .vbs, and .com extention directly to /dev/null with a simple procmail filter so that has cut down the amount of garbage email. At the height of Sobig and Blaster, my network was being bombarded with a few thousand emails per day. My point, I guess, is that Windows viruses are a real problem. Scratch that. They are a disgrace when you consider that this is what the world has inherited by selling its IT soul to one company.”
“Windows’ track record for viruses and worms is appalling. The costs in terms of data loss, damage, and lost productivity in the last three years alone runs into the billions of dollars. This is documented fact. Considering how many open source web servers (and servers in general) there are out there, you’d expect some kind of equivalent tally for Linux. But it isn’t there. That pretty much speaks for itself.” he added.
What can we expect in 2004? The Linux community is growing and just at the end of 2003 we have the long-awaited 2.6.0 kernel to upgrade to. With every year since the birth of Linux we’ve only seen improvements so I think there’s only a bright future ahead.