.comment: A Golden Opportunity
By: Dennis E. Powell
Wednesday, January 3, 2001 10:36:55 AM EST
URL: http://www.linuxplanet.com/linuxplanet/opinions/2852/1/
Where Do You Want Your Data to GoToday?
I've argued for years now that the time will come when use of Microsoft Windows on machines storing sensitive data will be deemed an act of misfeasance. By that I mean that the lack of security in Windows will be well enough known that if your lawyer or your accountant stores private data on a Windows machine, and that Windows machine is cracked, you'll be able to sue, win, and collect.
The evidence toward that end mounts. Perhaps most damning, both in content and in the prestige of the organization whence it came, is a 73-page study, "Cyber Threats and Information Security: Meeting the 21st Century Challenge," released last month by the authoritative Center for Strategic and International Studies in Washington. The CSIS report concluded that Microsoft software is so full of security holes, and so poorly audited, that it not only poses a risk to the national security but also cannot be fixed. It is, the report said, an insecure system so complicated that it cannot be made secure.
The computers of most of the Fortune 500 companies have been cracked, the report notes, including last autumn's break-in at Microsoft's own network. Frankly, right now one gets the sense that only an idiot would pass a credit card number over the Internet, so many insecure credit card repositories have been cracked. And, the report noted, the chances are that most cracks go undetected--if script kiddies can do it, imagine what the pros could come up with? (If you've read this column for awhile, this theme will already be familiar to you.)
There are several kinds of security risks familiar to the clue-enabled. There are the virus and virus-like macro attacks in which code finds its way onto your machine and does damage locally or distributes itself by way of your machine to others and causes trouble through the sheer weight of the traffic. There are the distributed denial of service attacks, which produce two flavors of victim: The site that gets hammered, and the hundreds, even thousands of "zombie" machines that do the attacking unbeknownst to their owners. (In at least one DDoS attack last century, which is in this case to say last year, Linux machines were the chief zombies, an exploit having been found and, well, exploited.) There are cracks of websites, substituting some new content for that which the webmaster intended. These three are largely acts of vandalism, just stupid stuff. When The New York Times website was cracked two years ago, the children who did it eschewed any cleverness in their substitute site. (Imagine some fiendish cracker hitting that site and inserting something subtle--sanity in the editorial column, for instance.)
By far the worst, though, is gaining access to data on machines. This can be anything from a doctoral dissertation to a database of a few hundred thousand credit card numbers, along with the names, addresses, and card use histories of the card holders. The potential for abuse is obvious--order up a bunch of stuff, or, if you manifest equal measures of boldness and stupidity, hold the data hostage mpending payment of a ransom--and unobvious: imagine a database of 300,000 cardholders with all their information. That puts you in a dandy little mailing list business, and you'll never get caught. Forget the card numbers--the rest of the stuff is easily saleable, no questions asked.
And when a person has access to a machine, chances are good that the data can be copied, sure, but also manipulated. The fact that macro virii got into into and caused to be shut down a computer network in the National Security Agency last year tells us that somebody bent on more than obvious troublemaking could cause a lot more trouble, unobviously.
The threats are broad and frightening, and they extend to every computer that is hooked to a modem or, worse, broadband. And Microsoft software is not part of the solution.
"It is doubtful that the millions (sometimes billions) of lines of code required to power Microsoft's products could readily be sanitized," nores the CSIS report, which goes on to mention that most government computer systems--including very sensitive military systems--are running software from Redmond.
This represents a golden opportunity. Not just for crackers, though surely that's the case, but for Linux.
Linux Isn't Secure, But It Can Be
One imagines that the Open BSD people would be making big noise about now. Their system is, as shipped, more secure than Linux is, never mind Windows. It has what is arguably a better license (unless you happen to live in an ivory tower in Cambridge and are easily mistaken for the murderous loon Mucko; if you are, there is no possible improvement on the GPL). Open BSD is in some respects the obvious choice.
But Linux is where it's at. NASA is doing serious Linux development. The big guys--okay, IBM--are doing Linux work. The codebase has been examined by tens of thousands of eyes, many of whom can correctly identify what they're seeing. So it was Linux that the National Security Agency, unamused by the Love Bug, began to work with.
The stories about the NSA would be legendary but for the fact that legends tend not to be true, and much of what is said about the NSA is absolutely true. In its suburban Maryland headquarters, a half hour or so from the Goddard Space Flight Center, NSA exists in a complex that has a mushroom farm of satellite dishes on its roof, broadcast receivers we can only imagine inside, and telecommunications equipment that officially hasn't even been invented yet monitored by people who are good at it. It's a very secretive place. For a period of time, it did not exist, if you asked. This is not a slouch outfit.
The NSA has some computer people, as you might well have imagined. Were they to put their minds to it--and who am I to say that they have not?--they could come up with something that would make Carnivore look as primitive by comparison as the work of the undetected pros do the script-kiddie cracks.
These guys are good. Very, very good.
And they've undertaken something called "Secure Linux." It is technically elegant, which is no surprise. It provides process-level security, which is both sensible and sufficiently complex that if it were available for use today, it would be a long time before many of us would figure it out well enough to make use of it. But when implemented, it may well be damn near bulletproof.
This is nice. It is remarkable. But the astounding part is that the NSA is bringing it to the community. The code that is being developed is being offered to the Linux kernel developers, and in turn the developers are very likely to contribute to the project with the idea that it could well become part of mainstream Linux. Not now, but there might well be some aspects of it in the 2.6 series of kernels, with perhaps more to come.
Why? Why would one of the most secret agencies of the U.S. government suddenly offer code to the extremely public and thoroughly international Linux community, and suggest a willingness to accept code from that community?
There are two reasons. The first is that there are some geniuses in the kernel crowd. But the second is more important, and strategic, and made clear in the CSIS report: our computer infrastructure, based on Microsoft software, is a security joke. If drugged-up juvenile delinquents can screw up big corporations, competent people who wish to do real harm could have, and probably are having, a fine old time for themselves. If defending the national security is the goal of the NSA, there's much to be said for a rock-solid and freely available operating system. It's the smart thing to do.
When the announcement of the NSA project was posted on the kernel mailing list, the initial responses were predictably skeptical. Look out for backdoors, said some. Well, yes, of course--you mean you hadn't been doing that already? It was a quick, cheap, shot, and I suppose that those who posted it knew as much. It's not as if the NSA is going to send binaries to Linus and ask that they be placed in some weird way into the otherwise source-only Linux distribution. If there were back doors, they would be visible in the source, available to one and all. They wouldn't go undetected for long enough to make it into a development kernel. The NSA folks know this, and this isn't what they're up to, anyway. They want to secure the nation's--no, really, the world's--computer infrastructure with a system that anyone can afford and anybody who is very good can button up.
Sitting Penguins
Meanwhile, the people who put together commercial Linux distributions (who I believe probably give their credit-card numbers over the Internet) continue to take the security that Linux already offers and by default destroy it. Because they have no idea whatsoever who their customers are, or maybe want to sell consultancy such that in exchange for money their stupidities can be corrected, they ship products that are wide open.
I run Caldera eDesktop 2.4. I do so because I think it is by far the most stable distribution, the one most easily modified without having to learn a lot of distribution-specific things. Caldera has in my estimation produced the most Linux of the commercial distributions. (I say "commercial" because I'm deliberately excepting Debian.) Distributions have attitudes, and Caldera's is mellow.
Yet Caldera, like Red Hat and the others, is an out-of-the-box security nightmare. It's not so much an installation as it is a frigging open house. Every imaginable daemon is up and running on boot. I spent a hilarious evening on the phone with my friend and guru, the estimable Bob Bernstein, doing nothing but shutting down--everything. There was nothing, or just about nothing, that needed to be running. I did this when I switched from dialup to cable modem and wanted to be the only guy making those LEDs blink. Even so, I awakened one night to see the lights blinking and strange pictures on my screen. XScreenSavers had gone trolling on the web, gathering stuff for my screen.
There is a golden opportunity here, yes indeed. There is the opportunity for Linux to become, by definition, the operating systen for people who are serious about security--and seriousness about security is now a selling point, but soon it will be a bottom line minimum. Yet the community, from distributors (and I'm sorry for picking on you, Caldera, because the others are every bit as bad) to application developers--c'mon, Jamie, you know better--have acted as if the Microsoft standard, no standard at all, according to the CSIS, is all that matters.
It's time for a security exploit. It's time for Linux distributors and application developers to exploit the security we already have. The distributors need to understand that nothing--nothing, dammit--should be started by default. Apache is great, but you have a lot of customers who are not running websites, and even fewer who ought to be. Don't assume that everybody who buys your CD and (generally miserable) book wants to make the machine an ftp server. Make those things available, sure. If I make bold to suggest, even document what those daemons are, what they're good for, when you might want to use them, and how to do so.
But make security your selling point. There is a load of sales material available to you, involving all of the documented attacks and the potential ones. You'll inconvenience no one.
I have no idea why the Linux community seems intent on failing to accentuate its strengths while chasing the weaknesses of what it sees as its competetor.
We need to recognize that Linux is as good as it is.