Linux Security Fail

Donovan Colbert

TechRepublic

November 3, 2009

I've often spoken about my concerns about Linux generally being unpolished and rough - and my feeling has always been that the claims of "superior security" from the Linux camp are over-stated, because of this lack of polish, fit and finish. In particular, it seems that the relatively small percentage of machines out there mean that obscure but very dangerous issues are less likely to be discovered (the disputed, mythical, "security through obscurity" claim that Linux advocates say does not exist). With so many Win32/64 machines out there, a serious security flaw, even an obscure one, is likely to get noticed and brought to attention sooner, not later.

Today, I experienced a *great* example of this. I have an Ubuntu 9.04 box sitting at my desk running on a Dell Dimension 8200 P4 system. I use it for various work related duties, often when my Lenovo desktop is tied up doing other business. This morning, when I came in, the screen saver was displaying as normal. I started working on my Lenovo. After a while, I looked over, and to my surprise, the Ubuntu box was sitting at the desktop, with Firefox running, and I could see the page I was at (dnsstuff.com). Shocked, I moved the mouse and the display went black, and came up with the log-in screen, as if it had been displaying the screen-saver.

This is simply unacceptable, and I've *never* seen a Win32 machine do anything like this in years of experience. It is unpolished, lacking in sufficient QA, and not suitable to a corporate environment - plain and simple. This wasn't OE - I didn't use it and leave it unlocked. It was locked, the screen was on a screen saver, and suddenly, without any user interaction, it returned to a full desktop. That isn't a minor security issue. It is a potentially HUGE issue - especially in an industry like mine, where there are strict HIPAA regulations on ePHI data. There are all kinds of ramifications of thinking you've securely locked your desktop from prying eyes, only to come back and see that desktop displayed to the world.

This isn't an isolated event, either. The fact is, that since I started using Linux with Debian Sarge and Potato, I've seen too many issues like these where it is clear that a bunch of guys, working at the grass-roots level, with a lot of passion, when they're not doing their day-jobs, simply can't provide a quality security environment comparable to a major corporate interest with deep pockets and the workforce to sufficiently quality check their product. Linux may be fundamentally better at the foundation - but without the dollars and the manpower to develop strong, secure, reliable, polished things on top of that foundation, it doesn't really matter.

A crashing screensaver should NEVER return you to a desktop. If I have *ever* seen this in a Windows environment, it was in Win 3.11 for Workstations (not NT). If the screensaver crashes, you should get returned to the login prompt with a black background, at the very least.

I'm totally blown away by this - and utterly disappointed in Ubuntu and Linux. This has a major impact on my reluctance to use Linux or Linux based devices throughout my environment for anything requiring enterprise class security. Unfortunately, I can't reliably recreate this issue, because it just happened while it was sitting there. But if it only happens once in 1000 hours per 1000 workstations, that is too many times for something like this to occur.

07:29 AM (PST)

Pretty Serious

Sawan Gupta

November 4, 2009

AFAIK, this was reported sometime back. You need to apply all relevant patches.

I agree Linux still requires polishing in many ways.

Regards,
Sawan Gupta

01:33 AM (PST)

This is a 9.04 install

Donovan Colbert

November 4, 2009

On the latest patches as of yesterday, when it happened. I'm shocked it has been reported.

I'm also... honestly, flabbergasted that there is only one response, and it is someone saying, "yeah... I know, this is pretty big..."

I mean... I *thought* this one would be a back and forth, 300 posts flaming "debate".

Is this lack of response a silent acknowledgement?

Because seriously... this is significant. Especially from a platform that has made "rock-solid security" the platform on which they chose to compete.

08:31 AM (PST)

Copyright 2009