Monday, April 5, 2010

Linux: As vulnerable as Windows?

Before any Linux users burn me in effigy, please read a little further. Enterprise Linux is rock solid and as secure as anything out there - and more secure than most. But how secure is desktop Linux?

Before answering that, perhaps we should think about why Linux in the Enterprise is so secure. Actually, we don't have to think about it because Fewt of the Fewt blog already has. And the conclusion he has come to is that the things that make installing and using desktop Linux so user friendly are exactly the things that make it insecure.

I'm ashamed to admit that I've never considered that the changes made to make desktop Linux simpler to install and run than enterprise Linux could create security risks. For instance, creating a single partition instead of having different partitions for different directories removes one of the security features of enterprise Linux. Fewt says it much better than I can:
With a Desktop Linux system, non enterprise savvy users are given the keys to a wide open platform and nothing protects them from the elements. We as a community have falsely sold our users that this platform inherits the security capabilities that you find within Enterprise Linux, we just aren't telling them the whole story.

By default, every single Desktop Linux system I have reviewed or tested fails in every possible way. None of the measures normally applied to protect Enterprise Linux systems are present to reduce risk of vulnerability. In addition those enterprise controls must be altered slightly as the use case is so greatly different than that of an Enterprise Linux deployment.

Are you using desktop Linux? Do you have the know-how to secure it, and if you do, have you? If you've convinced friends to run Linux, have you secured their systems for them?

Fewt doesn't just bemoan the fact that desktop Linux is not secure. He points users who want to secure their systems to resources to help them do exactly that:

https://help.ubuntu.com/community/Security
http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf
http://people.redhat.com/sgrubb/files/hardening-rhel5.pdf
http://ubuntuforums.org/showthread.php?t=510812

He then offers the advice that if you find the information at any of those links too complicated you should stop using linux. He's not being snobbish or suggesting you have to be a Linux administrator to secure Linux. He's saying that if you're not comfortable taking the steps needed to protect your data - and perhaps your reputation - you should use an operating system that protects you while staying in your comfort zone.

If you are a user or a fan of desktop Linux I suggest you check out fewts blog entry and the links he gives to help you secure your desktop. He gives a very clear, very informative case for desktop Linux's insecurity.

In any security situation you're only as secure as the weakest point. Often that's the users password. In desktop Linux it looks like the OS itself may be the weak point. There are already enough weak links in any OS without opening the lock and throwing open the gate for the bad guys.

2 comments:

  1. This reminds me quite a bit of a discussion that was going on a long time ago when I first tried Linux... Users that weren't comfortable handling dependencies or compiling were often being told to use another OS -- that is, until package managers were designed, refined, and integrated as a core aspect of how the system handled installation.

    I think that a parallel approach would be the smartest one now... Find ways to integrate solutions into the system where reasonable, once the primary problems are identified. For the remaining issues, create a "security manager" that makes the fixes a normal non-threatening aspect of using Linux -- just like package managers are today.

    Taking that approach would also make life a bit easier for users at all levels of expertise... More importantly, non-technical users often have connections or talents that our community visibly needs more of. If they're busy doing & learning admin tasks, it means they're *not* using their abilities to improve Linux; if they're treated as second-class users or made to feel unwanted, they're less likely to offer their skills or explore projects that might need them.

    ReplyDelete
  2. You're exactly right about the changes made in software installation and upgrading. And if enough people raise enough fuss about the security issue, it will be fixed the way upgrading and installing software was. But until it is we are lying to users of desktop Linux if we tell them they have a secure OS just because they installed Linux. If they do a default install, they don't.

    I could argue that by learning how to do admin tasks they are enriching themselves and the community, but the last part is only true if they take an active part. If they just install Linux and go about their business without ever sharing their experiences with the community, they won't have any impact.

    I am not a Linux user on my main computers, but it's not because I was ever made to feel unwanted or treated as a second class citizen. Every forum I ever asked a question on was very helpful. I did receive the "If you're not comfortable doing this..." comment, but never in a way that made me feel second class. It was always either preceded or followed by detailed information, whether that information was posted or they directed me to it. If I am not comfortable doing things that need to be done to use a particular technology, whether it's an operating system or a microwave then it might be better for me to use something else.

    ReplyDelete