As always, I want to reinforce that these are my personal opinions and not the stated policies, recommendations, or positions of Intel.It has been discovered that an Open Source application that runs on Linux has had some of its repositories cracked and some of them were serving a malware infected version, as reported here and here. Now, while some has reacted like this reporting is an attempt at spreading FUD (fear, uncertainty, and doubt) among potential Linux users, it is simply one more incident showing that there is no security silver bullet.
Simply choosing a more secure OS is not sufficient to protect against all forms of attacks. Complacency will always leave one vulnerable. Reading your email on a Linux box will not prevent spam or phishing emails from entering your mailbox. If you click on an infected .pdf file, you probably won't get infected because the malware was probably customized for Windows. However, that doesn't mean someone couldn't infect a .pdf file with a Linux virus. Someday, someone will. Moreover, if the attack wasn't attempting to infect your system, but simply to get you to install a tracking cookie in your browser, Linux is no protection at all. Running Linux doesn't magically make one immune to social engineering.
This isn't a criticism of Linux. Linux out-of-the-box comes generally configured to be more secure than typical Windows desktop systems do. A good example is that on Linux systems root (superuser) access is done via a separate account rather than one's normal account. Many other features of Linux are specifically designed to improve security also.
However, Linux systems also often have more to configure and more to exploit. A Linux system will often run ssh and ftp servers and not just clients. Running nfs or samba servers on Linux is also very common. You might even run http or sql servers. Server systems require more complex and careful administration, because servers were designed to share their resources. Sharing requires more attention. Sharing opens avenues for attack.
If you button your Linux system up, it can be secure. However, if you run it with the telnet, ftp, ssh, and nfs ports all open to the world and without any security on them, you will eventually find more viruses and rootkits on your system than you can imagine. Believe me. I've been there. In fact, to my knowledge, the only system I've ever run that has been cracked was a Linux box. It was in part due to configuring the system to be more convenient rather than more secure.
I think that is appropriately instructive that the word rootkit derives from the name of the administrative account on Unix derivative systems. The first worm was also designed to attack Unix (not Windows) systems. Likewise, Ken Thompson gave as his Turing Award lecture how to embed a Trojan Horse in the C compiler, which shows simply compiling from source is also not a panacea either.
So, enjoy the security Linux is able to give you. Open Source is a good thing. There is ample reason why many cryptographers prefer trusting an open source algorithm. However, don't assume running Linux without appropriately configuring it makes you magically immune to attack. Life isn't quite that simple. Security still requires work. Always will.
No comments:
Post a Comment