Is the Linux process insecure?

Is the Linux process insecure?

Summary: Time for me to play devil's advocate again.The Schneier Wave graph to the right may be the most famous diagram in computer security.

SHARE:
TOPICS: Security
24

Window of ExposureTime for me to play devil's advocate again.

The Schneier Wave graph to the right may be the most famous diagram in computer security. It's named for Bruce Schneier of Counterpane, a leading computer security expert.

As Schneier explained back in 2001, vulnerability to a security bug is highest between the moment the problem is revealed and the moment a patch is made available. After that the risk goes down, but never to zero, because there are always some fools who don't patch.

A few months after publishing the graph he expounded on this, suggesting that while it's generally best to disclose a vulnerability as soon as it's found, it might be better if vendors were notified of them first, and given a fixed time limit on solving each problem, in order to minimize the time between the announcement of a bug and delivery of a fix.

Well, due to the nature of Linux this can't happen. We're all responsible for finding exploits and for fixing them. Thus we must have open commuication. Virtually any limit on who can see something, or any delay in letting everyone see something, can mean a delay in implementing a fix.

So yesterday I come across this. It's a Linux 2.6 security bug, reported on the French Security Information Response Team Web site. I did not get this because I'm clever. It was part of my regular RSS feed. I use this example mainly because it's a local bug. The announcement notes it can't be exploited remotely.

It lets users of local systems gain elevated privileges, even institute a local denial of service attack. Pretty nasty. But if I could use this bug to attack a French computer the risk would be much greater, and I wouldn't be providing the links in the above paragraph, never mind how I got them.

The point is should access to bug information and exploit code be limited at all, and if so, how would you do it? I don't want the bad guys seeing exploits either, but it's impossible on the Internet for me to know who the bad guys are.

Microsoft has theoretical control of this situation. Open source does not. Leave your answers at TalkBack.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • well...

    My philosophical approach to this - whether or not it's practically effective - has always been the same as for almost any technological innovation that increases communication and openness.

    That is: there are always bad people who can use it; as long as there are more people using it for good, it's likely that on balance it will be better.

    That pretty much puts the onus on all of us to make sure we do good with it, as opposed to either the belief that technology will "save" us or that it will destroy us. Technocrats and Luddites alike are generally wrong.

    Whether this really means anything to this topic I can't tell, but it seems to me that it does. I can't give a firm opinion, since I don't have one. But if you empower the "good guys" as much as the "bad guys", the good guys win - as long as there are more of them...
    bthomasmo@...
  • When is a bug "revealed"?

    Just because a bug was publicly revealed today that does not mean one of the bad guys didn't know about it two weeks ago.

    Perhaps the SOFTWARE may not be as secure by publicizing a bug before a patch is made, but at least the workarounds will be known almost immediately. So that way my SYSTEM will be secure in the meantime.
    Michael Kelly
    • Agreed 100%

      If there's a nasty enough hole in my OS (or other applications) I want to know right away so that I can take my system off the net -- or even shut them down -- if need be.
      __howard__
  • The difference is...

    ... in microsoft world the bug isn't public till there's an expolit, in linux world the bug is often public before an exploit sometimes preventing it from ever appearing in the first place.

    Shrug, in one sense you're disclosing your weaknesses and giving people time to try to get something out before a patch is available, but on the otherhand your response time to the issues is generally greater.

    Neither is inheriently better or worse, but the linux method tends a bit more towards quick fixes in my opinion, especially since *anyone* can make a patch for the problem and submit it.
    Shadus
  • and for better or worse...

    Others have already said this, but I'd like to make it plainer that it really doesn't matter whether the provider is Microsoft or someone against whom one is less likely to be suspected of unfair bias: closed processes impede solutions. That much can not be disputed, whether it's good or bad.

    So, between the fact that there are many times more people who can see the problems, and many times more people who can work on the solutions, no single company can hope to compete with an open process.

    As Bill Joy(I think) once said, no matter who you are, the fact is that most of the world's smartest people don't work for you.
    bthomasmo@...
  • No!- the devil is in the details or rather the Penguin!

    As you can see by folowing the link you provided the patch was already released and the kernel in it most current state is already patched. You make an interesting point which provides a good opportunity to smash to bits your Headline designed to attract anti-Linux nay sayers to say see I told you so! Because like usual they will simply not look into the the details and go along on thier marry way happy in thier ignorance with a headline to back up thier misconception.


    Now also to note the attack needs local access. If you give me physical access to any Windows computer I will have administrator access in about 5 minutes! Any machine! Patch and protect till your heart is content and I will still have it. If you can't get physical access to the machine it just takes longer. Remote Linux cracking is a much more difficult and depending upon the distro you might be impossible.

    Also note that the Kernel is faithly presided over by the wonderful folks at kernel.org

    Microsoft has no real security. Security by obscurity is a a ticking time bomb. Do you see spyware effecting linux? how about OSX? How about viruses that self propagate?

    Extractus Cranius Exanus!

    Nice Red Herring...
    whieber
    • You Linux noobs...

      ...should learn a thing or two about computers before you start blabbing off on the net.

      [i]"Now also to note the attack needs local access. If you give me physical access to any Windows computer I will have administrator access in about 5 minutes!"[/i]

      [b]Local Access != Physical Access[/b]

      What does have physical access to a machine have to do with a local exploit? A 'local' exploit can still be exploited remotely given the correct conditions.

      ANd what does windows have to do with this article? With [b]physical[/b] access, I guarantee you I can get root access to your linux box faster than you can get admin access to my Windows box.

      [i]"Microsoft has no real security."[/i]

      Got anything remotely technical to back that statement up with?

      [i]"Security by obscurity is a a ticking time bomb."[/i]

      Don't tell me your one of those fools who have fallen for the 'security through obscurity is completely useless' mantra? Obscurity is just one of many methods used by security professionals to secure their machines every day.


      [i]Do you see spyware effecting linux? how about OSX?"[/i]

      Why bother? Nobody uses these platforms on the desktop anyway.

      [i]"How about viruses that self propagate?"[/i]

      You mean like [url=http://antivirus.about.com/library/weekly/aa091602a.htm]Slapper[/url]...or [url=http://www.infoworld.com/articles/hn/xml/01/01/25/010125hnramen.html?p=br&s=3]Ramen[/url]?

      I have some tasks for you...

      [b]1)[/b] Find the last windows based worm that spread via an *unpatched* exploit. Before you go off looking, I should warn you that [i]you won't find any[/i].

      [b]2)[/b] Explain to me why even the open source community sometimes refrains from full/immediate disclosure?

      [url=http://www.daemonology.net/hyperthreading-considered-harmful/]link[/url] (look at the disclosure timeline at the bottom of this link)

      [b]3)[/b] Come back with some techical arguments as to why Microsoft "has no security".
      toadlife
      • Here's two answers why Microsoft has no security.

        1. default user has full administrator privilieges.

        2. Any file can be executed.

        You M$hills always crack me up.. Windows is FLAWED BY DESIGN... There's no ifs, ands or butts about it!

        And you want to talk about disclosure??
        Delusional much?
        Xunil_Sierutuf
        • Fish on!!

          Looks like I've gotten one of the usual trolls to bite. Hopefully you guys feel like playing along today.

          [i]"1. default user has full administrator privilieges."[/i]

          Correct. A bad descision made in the name of compatibility. I guess you could call this a "design", but you could also just call it a "default".

          [i]"2. Any file can be executed."[/i]

          Okay. Explain to me how files not being executable by default would protect your average ignorant computer user from being infected/exploited on a Unix box. I'm serious...I want you to give me your best explanation. Please try to make the best case possible, as it will make shooting down your argument a lot more fun.

          [i]"You M$hills always crack me up.. Windows is FLAWED BY DESIGN... There's no ifs, ands or butts about it!"[/i]

          FreeBSD is my desktop of choice. I suppose that makes me a "M$hill"?

          [i]"And you want to talk about disclosure??"[/i]

          You havn't talked about it at all yet. Would [u]you[/u] like to?

          [i]"Delusional much?"[/i]

          Think much?
          toadlife
          • FreeBSD not M$ Windows is your desktop of choice?

            "FreeBSD is my desktop of choice"

            A confession that M$ Windows is worthless and insecure on the desktop. So, you would rather have your employers or customers suffer with Windows than migrate them to FreeBSD just because you don't have the skills to switch. I see, it's easier for you to point and click than take the time to understand computer systems. We (IT professionals) have been seeing this a lot lately. Microsofties don't have the ethics or the talent to make the right decisions.
            IT-sys
          • Puting words in my mouth

            [i]"A confession that M$ Windows is worthless and insecure on the desktop."[/i]

            I never said Windows was useless. It works quite well as a desktop OS.

            [i]"So, you would rather have your employers or customers suffer with Windows than migrate them to FreeBSD just because you don't have the skills to switch."[/i]

            I think it would be cool to have our users use FreeBSD (or even linux) on the desktop, but I am living in the real world, and realize that such a move would not be cost effective at all, given our industry, and local IT talent pool.

            [i]"We (IT professionals) have been seeing this a lot lately."[/i]

            You sound rather short sighted to be a professional. What exactly do you do - build PC's at Best Buy?
            toadlife
        • #2 is flawed

          chmod u+x foo.txt

          What was that about any file can be executed is a Windows problem?
          rpmyers1
          • chmod u+x foo.txt doesn't equal default insecurity

            Just because any file can be made executable doesn't mean that it is has default security problems like windows. And even executing a security breaching file run as a normal user will only breach that users account not the entire system or root unless the fool is doing something stupid as root. And lets face it if you are playing around as root with something you have no business with playing with you are probably more of a hazard to your system than any random trojan.
            whieber
          • And running as a standard user on windows gives the same immunity

            The problem is the default admin user and apps depending on it, not through some other inherent flaw.

            Many of the trojans on Windows DO NOT TAKE ADVANTAGE OF FLAWS. MyDoom could very easily be ported to Perl/Python/Ruby to run on anything without root level access and do the same amount of damage.
            rpmyers1
          • lol

            I never thought of [i]that[/i].
            toadlife
          • chmod u+x

            Just what he said. Any exe or bat file can be
            executed by anyone. However, you really don't
            understand Linux permissions, do you, if you
            "think" they are just like Windows?

            Even if foo.txt is in your home account,
            assuming you know what a "home account" is, you
            cannot use chmod on it if you are not in its
            permission set. But, just suppose you had full
            permission on foo.txt and did "chmod u+x" on it.
            Unless it is a properly crafted script file or a
            correctly compiled ELF binary IT STILL WON'T be
            executable.
            Before you make any more ignorant comments about
            Linux you'd better bone up a bit.
            GreyGeek
      • Thats your point?!

        Two viruses! one 3 years old and another one 4. Which require a web server to be running that has an unpatched compilation of old ssl technology. Good digging bud. These exploits can be fixed by using current technology. Anyone who still uses these unpatched has no idea what they are doing.

        "With physical access, I guarantee you I can get root access to your linux box faster than you can get admin access to my Windows box."--Only cause my box will boot faster 8-)

        The local exploit issue requires that you have at least a user on the machine that you have access to. I will crack your windows box with no user name at all. And lets face it Linux, OSX, BSD and all systems can be cracked so don't pretend your windows box is imperviable.
        The original question was is the way Linux is developed secure and it is.

        Security by obscurity is like hiding a key under a rock or a pot on your front porch. It's not out in the open but once you have it there not much to stop you from going in.
        Deliberate security takes the ease of accidental entry out of the equation and brute force is simply accidental entry with a long random set of accidents.

        1) Find the last windows based worm that spread via an *unpatched* exploit. Before you go off looking, I should warn you that you won't find any.

        Look I have spent too many hours un-*&%^%ing windows computers and networks for you pityful patched exploit treasure hunt. Nimda, Sircam, Beagle, and others are a real pain in the rear end. I have never had to spend one minute un-*&^&*ing a Linux box from a virus.

        I don't have to find technical resources to prove my point that microsoft has no real security, its right in the open. McAfee exists because Windows is a virus magnet, so does Norton and all the rest. Why do you think Adaware is around? How about Spybot search and destroy? You don't need this stuff in linux or Mac. Dude what do you need to see the truth? Linux is not perfect but it doesn't have the hassle associated with Windows.

        It has its own unique hassles but they are usually because hardware was written for Windows and not for Linux and the tide is turning.

        If you keep clining to your unsecurity blanket you going to be left out in the cold.

        Open you eyes and your mind and the source will be with you.

        8-) No hard feelings
        whieber
        • I take it you've had a windows box owned?

          [i]"Two viruses! one 3 years old and another one 4. Which require a web server to be running that has an unpatched compilation of old ssl technology. Good digging bud. These exploits can be fixed by using current technology. Anyone who still uses these unpatched has no idea what they are doing."[/i]

          On that note, you could say that anyone who was infected by blaster/slammer/code red worms had no idea what they were doing as patches were available for them [b]LONG[/b] before the exploits were created...and I would agree with you too.

          [i]--Only cause my box will boot faster 8-)"[/i]

          Sorry but hopping into single user mode and blanking the root password takes seconds. It's a bit more of a process with Windows. Definitely doable in Windows, but defintely not faster than with unices.

          Furthermore, (I admit - I'm nitpicking here) Windows XP boots much faster than linux anyway. I've [url=http://www.microsuck.com/forums/showthread.php?t=9135&page=2&pp=25]done tests[/url] and had the discussion with other linux users before.

          [i]"Look I have spent too many hours un-*&%^%ing windows computers and networks for you pityful patched exploit treasure hunt. Nimda, Sircam, Beagle, and others are a real pain in the rear end. I have never had to spend one minute un-*&^&*ing a Linux box from a virus."[/i]

          What does your experience fixing unpatched windows boxes, or any experience with linux have to do with my point about there being no self propogating worms for Windows that exploited unpatched vulnerabilites? My point was that design issues are WAY down on the list of problems with Windows security.

          [i]"I don't have to find technical resources to prove my point that microsoft has no real security, its right in the open."[/i]

          Are you saying that don't need proof because you have faith? What exactly is out in the open? Tons of Microsoft boxes get infected with viruses. Yeah...so? Why do they get infected. Think about it real hard. Who uses windows? The most prominent viruses for Windows nowadays are mail viruses where the user has to open up a zip file attachment and double click on the contents.

          [i]"It has its own unique hassles but they are usually because hardware was written for Windows and not for Linux and the tide is turning."[/i]

          Oh, cry me a frikken river. You have no idea about hassles. Try running [url=http://www.toadlife.net/stuff/forum_pics/freebsd_kde34.png]FreeBSD[/url] as your desktop, and get back to me about your "hassles" with linux. ;)

          [i]"If you keep clining to your unsecurity blanket you going to be left out in the cold.[/i]

          Open you eyes and your mind and the source will be with you."[/i]

          You assume too much about me.
          toadlife
          • Hassles now thats a selling point!

            Well my if BSD had any advantage to those I have found in Linux I might take a stab at the Beastie but I am outgrowing my love and need for hours of reading how to make my (fill in the hardware) work with my OS. Sure BSD is tight, Linux is tight, OSX is tight and patches make Windows tighter. Patching security is a fact of OS building. The original question was "is the Linux process insecure?" and it is secure and contrary to the last point of the article Microsoft does not have that market cornered. "Microsoft has theoretical control of this situation. Open source does not." -This is dispuatably wrong.

            Viruses and spyware are obvious tells that microsoft doesn't have this cornered.

            Nice KDE 3.4 by the way 8-)

            Over and out...

            Take care,
            Walter
            whieber
  • You have just demonstrated the power of the community

    By bringing things like this to someones attention, it improves everyones experience.

    Thanks!
    Xunil_Sierutuf