Linux Security Fail
Donovan Colbert
TechRepublic
November 3, 2009
I've often spoken about my concerns about Linux generally being unpolished and rough - and my feeling has always been that the claims of "superior security" from the Linux camp are over-stated, because of this lack of polish, fit and finish. In particular, it seems that the relatively small percentage of machines out there mean that obscure but very dangerous issues are less likely to be discovered (the disputed, mythical, "security through obscurity" claim that Linux advocates say does not exist). With so many Win32/64 machines out there, a serious security flaw, even an obscure one, is likely to get noticed and brought to attention sooner, not later.
Today, I experienced a *great* example of this. I have an Ubuntu 9.04 box sitting
at my desk running on a Dell Dimension 8200 P4 system. I use it for various work
related duties, often when my Lenovo desktop is tied up doing other business. This
morning, when I came in, the screen saver was displaying as normal. I started working
on my Lenovo. After a while, I looked over, and to my surprise, the Ubuntu box was
sitting at the desktop, with Firefox running, and I could see the page I was at
(dnsstuff.com). Shocked, I moved the mouse and the display went black, and came
up with the log-in screen, as if it had been displaying the screen-saver.
This is simply unacceptable, and I've *never* seen a Win32 machine do anything like
this in years of experience. It is unpolished, lacking in sufficient QA, and not
suitable to a corporate environment - plain and simple. This wasn't OE - I didn't
use it and leave it unlocked. It was locked, the screen was on a screen saver, and
suddenly, without any user interaction, it returned to a full desktop. That isn't
a minor security issue. It is a potentially HUGE issue - especially in an industry
like mine, where there are strict HIPAA regulations on ePHI data. There are all
kinds of ramifications of thinking you've securely locked your desktop from prying
eyes, only to come back and see that desktop displayed to the world.
This isn't an isolated event, either. The fact is, that since I started using Linux
with Debian Sarge and Potato, I've seen too many issues like these where it is clear
that a bunch of guys, working at the grass-roots level, with a lot of passion, when
they're not doing their day-jobs, simply can't provide a quality security environment
comparable to a major corporate interest with deep pockets and the workforce to
sufficiently quality check their product. Linux may be fundamentally better at the
foundation - but without the dollars and the manpower to develop strong, secure,
reliable, polished things on top of that foundation, it doesn't really matter.
A crashing screensaver should NEVER return you to a desktop. If I have *ever* seen
this in a Windows environment, it was in Win 3.11 for Workstations (not NT). If
the screensaver crashes, you should get returned to the login prompt with a black
background, at the very least.
I'm totally blown away by this - and utterly disappointed in Ubuntu and Linux. This
has a major impact on my reluctance to use Linux or Linux based devices throughout
my environment for anything requiring enterprise class security. Unfortunately,
I can't reliably recreate this issue, because it just happened while it was sitting
there. But if it only happens once in 1000 hours per 1000 workstations, that is
too many times for something like this to occur.
07:29 AM (PST)
Pretty Serious
Sawan Gupta
November 4, 2009
AFAIK, this was reported sometime back. You need to apply all relevant patches.
I agree Linux still requires polishing in many ways.
Regards,
Sawan Gupta
01:33 AM (PST)
This is a 9.04 install
Donovan Colbert
November 4, 2009
On the latest patches as of yesterday, when it happened. I'm shocked it has been
reported.
I'm also... honestly, flabbergasted that there is only one response, and it is someone
saying, "yeah... I know, this is pretty big..."
I mean... I *thought* this one would be a back and forth, 300 posts flaming "debate".
Is this lack of response a silent acknowledgement?
Because seriously... this is significant. Especially from a platform that has made
"rock-solid security" the platform on which they chose to compete.
08:31 AM (PST)
Copyright 2009