[PLUG] Dealing with security

[Steven A. Adams]

On Mon, 2003-02-03 at 12:19, Ed Sawicki wrote:
> I was asked by two people recently about Linux virus
> scanning. One asked why there doesn't seem to be many
> or any virus scanning software for Linux that a business
> can use. The other wondered why Linux was less susceptible
> than Windows.
> 
> The first was referring to Linux viruses - not a Linux box
> scanning email for Windows clients. I explained that
> most Linux deployments in business are as servers
> presently and a Linux server managed by an administrator
> reasonably well-versed in security is not going to fall
> victim to viruses or other form of attack easily.
> 
> I explained to both the concepts of daemons running as
> root versus a lesser privileged user, not having daemons
> running as the same user, restricting a daemon to a
> portion of a file system by chrooting it, choosing to
> use daemons that don't have a history of security issues,
> etc. I said that by using common sense security
> precautions, virus attacks are unlikely to succeed and,
> if they do, cleanup would be relatively simple.

All very good answers in my opinion. Any reasonable person would accept
this and do the appropriate research if questions remain.
 
> This was the wrong answer. The first fellow insists that
> Linux is equally as vulnerable to virus attack as
> Windows. He dismissed my explanation as the rantings
> of a "rabid Linux user" - his words. I suspect he thinks
> that Linux is not as secure as Windows because there are
> no virus scanners available - no other facts matter. I
> wonder what he'll think when he finds out that there is no
> disk defragger for Linux.

See above (emphasis on REASONABLE)
 
> The other didn't accept my explanation because "there are
> more security alerts for Linux that there are for Windows.'
> and "if Linux was as popular as Windows it would have just
> as many security problems" and "wasn't there a Linux
> slammer attack?".

See above
 
> Clearly, there's a lot of people out there who don't get it
> and technical explanations are lost on them. As Linux is
> deployed by more and more people who don't have the
> necessary skills and security awareness, Linux is going to
> be perceived as a platform just as problematic as Windows.
> These people need simpler concepts they can grasp.
> 
> I'm thinking that the solution is to shift the emphasis
> away from Linux as a secure operating system to the
> administrator. It's the administrator who makes a system
> secure - not an operating system. When security problems
> occur, we should not complain about Windows, we should
> complain about administration. If company management puts
> the pressure on their administrators to solve security
> problems, more secure solutions, like Linux, should
> eventually bubble to the top.
 
But Ed, the administrator can not force Microsoft to produce any
security fixes. In fact, even discussing vulnerabilities in that OS
could force one to fall prey to DMCA heart-ache, head-ache and possible
prosecution. Just as a vague example of the attitude that those
unfortunate individuals have to deal with, read the EULA (quite the
fancy acronym for End-User License Agreement) for the Microsoft .NET
Framework - it clearly states that by accepting this License Agreement
you will NOT discuss any benchmark findings with .NET to anyone without
the express written consent of Microsoft (I ran into that one over the
weekend while setting up my dual boot workstation). With an arrogant,
publish only the good, attitude like this, would it be possible that the
opinion of an administrator is going to make a difference when the CFOs
of the world just keep signing checks for more Windows? I'm sorry, I
think not.

In theory I really do agree with you, a lame Linux admin can create a
security nightmare much larger than one likely to come from a well cared
for Windows box. However, until Balmer and his marketing machine start
hearing it from the money source there will be no change in the product.

Just my opinion, and like Mr. Miller, I could be wrong.