Why Linux Security Will Succeed

[This was originally published on secure.linux.com and mirrored on attrition.org.]

There is no subtlety in the race to gain the exalted title of having the most secure operating system. Both sides of the virtual fence argue their preferred operating system is more secure by default installation. More often than not, these OS bigots spend more time knocking the other contenders down rather than arguing the strengths of their own OS. Some fanatics argue that their OS can be made more secure in the long run. When one is fighting a losing battle, shooting holes in the other side is often more effective than boasting of your own merits. In the war between Linux and its rivals, Linux is in a position to stand on its own positive features, and it does it well.

Nothing to Hide

A longtime trendsetter in the Open Source movement, Linux continues to bare all to friends and foes alike. Every day thousands of hobbyists and developers fiddle with every part of the operating system, finding new ways to improve on it. Some of this results in small fixes to make parts of the system more efficient. Others streamline the code while adding new features that allow more flexibility, while some fix bugs left by predecessors in a day where security was barely an issue. The key here is that anyone who has the whim or desire to scrutinize or improve the current code base can do just that. By offering the full source code to every piece of the operating system, Linux developers around the world are putting their work on trial. With thousands of critical eyes, it stands to reason that any such bugs will be ferreted out in no time.

On the other hand, closed source operating systems hide their foundation from the world, relying on security via obscurity to prevent vulnerabilities from being discovered and exploited. These closed source systems appear to be developed by companies more concerned with profit margins than secure and stable operating platforms. These Operating Systems tend to be written by programmers with the primary goal of making a sizeable salary, rather than the herds of developers working on open source operating systems for the love of the work.

With open source operating systems, the time required to find and isolate a bug is decreased tenfold. Large corporations must rely on laborious internal testing to find and fix bugs, while a qualified Linux enthusiast can take minutes to verify a bug in the source tree. The same programmer can often develop a fix for the bug and share it with the world in hours. The sheer power to effect change and provide improved components of an operating system is something unknown to widely deployed commercial operating systems. This advantage will continue to make open source free operating systems a thing of power and control. The most effective part of this process can be seen when developers and enthusiasts all over the world collaborate on the best way to fix a problem. This is seen on the full disclosure security mail list Bugtraq.

The Right Tool to do the Job

More important than choosing the right tool for the job is having all of the tools required to do the job correctly. Perhaps one of the most potent and overlooked strengths to Linux and other open source operating systems is the amazing number of tools available to do virtually any job required. With many tasks in the computer or network world, it is accepted that you have one (sometimes two) tools to do a specific job. You learn those tools and you learn to like them because there is no alternative. The world of Linux is one of choices. Perhaps the most self empowering attribute of open source platforms is that anyone can develop their own tool as an alternative to the rest.

This can be illustrated quite easily by having any skeptic subscribe to the daily Freshmeat newsletter. Once a day Freshmeat mails out a summary of new or updated tools submitted to its site. Each piece of mail lists the title of the tool, where to find it on the net, a brief description of its features, as well as the reason a new version was released. In many cases they also announce the release of new tools and provide the basic details. On a typical day, this mail will contain a list of some 20 – 60 tools that have been released or updated. The beautiful part? Almost all of them are free.

Looking at the Freshmeat mail for January 26th, I learn of four new security software package events. The first is a low urgency upgrade to the Fwctl program, which helps users configure a tight firewall. Next is an updated version of a popular vulnerability scanner called SAINT that is a highly evolved version of its predecessor SATAN. Third in the security category is a new package called Tripwall which is designed to give an alternative to a better known Tripwire package that some feel has become too commercial. Last is a small upgrade to the Linux Intrusion Detection System (LIDS) package. All of these commercial grade tools in a single day, and all of them free of charge.

With the availability of hundreds of security tools, it better equips every Linux user in the fight to maintain a secure system. By offering many choices for each type of tool, administrators can perform their work efficiently and effectively, without the headache of inadequate software. We all know how much one enjoys a job working with inferior or cumbersome tools!

Winning the Race

The race between system intruders and security personnel is never-ending. Each struggles to find previously undiscovered bugs with the release of each new version of operating systems. Intruders use these new found bugs to break into a number of systems in hopes that administrators are unaware of the holes. Security personnel attempt to find them and patch them before the intruders have a chance to exploit thousands of vulnerable hosts running critical business functions. Because of the importance of maintaining a secure platform, many open source developers have recognized the need for proactive auditing. Rather than wait for computer response teams to report a new bug being exploited, the developers closely scrutinize their work with security in mind.

Two flavors of Linux stand out in the fight to maintain the most secure platform possible. Both the RedHat and the Independence distributions of Linux have made significant proactive efforts to improve their out-of-box security. In singling these two distributions out, I do not imply that other flavors of Linux are in any way negligent, only that these two appear to be setting trends in the Linux community.

Over a year ago, the RedHat team determined that security was an important aspect of the operating system and deserved more attention. With that in mind, they set out to audit significant portions of the source code looking for any part that might be exploited by intruders. In their search for bugs and vulnerabilities, they were able to proactively find and fix several problems that could have posed serious risk to RedHat users. After fixing each bug, they turned to the security community and shared their findings. This gave every developer a chance to see the value of doing source code auditing, and helped point out dozens of other bugs and vulnerabilities in other operating systems.

Another relatively new distribution has taken an interest in improving system security by tightening file and directory permissions. Unix descends from a spirit of sharing resources and information dating back to the 70’s, when security almost hindered daily operations too much. It was a time where one administrator would quietly sneak into a system to fix a bug that was preventing his system from sending mail to a recipient, and just as quietly sneak back out without a word. Because of the loose permissions on files and directories, this was possible and encouraged users to fix their own problems. In today’s world, that ability to fix your own problems also translates into the ability of an attacker to gain additional access and compromise the integrity of a network.

	"Expecting a new user to have to handle the security of a Linux server is
	 preposterous, not only does it take years of experience in the field, but
	 it also takes the time to keep up to date with the latest problems. If
	 users are expected to do this, then Linux's progress will be limited."
					- Independence Linux

Developers of Independence Linux see that as a point of concern. In response, they have been working on a new permission scheme that does not break any functionality of the system, yet improves the security posture significantly. By making hundreds of small permission changes around the system, the distribution caters to those individuals seeking security and privacy. Like RedHat, the Independence project also maintains a security page outlining the bugs and vulnerabilities they have found.

Another evolving effort dramatically increasing security awareness in the Linux community is the Bastille Linux project. Building on the existing security of the RedHat distribution, the Bastille Linux project aims to create a utility that will automate the security hardening process. This is done to help new users of the RedHat system who may not be familiar with all of the security issues at hand. Like all efforts in security, the need for functionality must be kept in mind and this tool aims to do just that.

Setting a Standard

With more and more companies adopting open source platforms for important business applications and mission critical activity, they are setting a standard and acknowledging the inherent benefits. Some companies have adopted the open source movement so much that they now have personnel that routinely review security discussion forums like Bugtraq, as well as the security pages of the distributions they favor. This adoption signals a changing point in the faith of security via obscurity. Many companies are no longer willing to risk their vital business to operating systems with a track record of bugs and slow fixes. The speed and efficiency with which Linux distributions dispatch updated components is favorable to organizations that would rather not risk break-ins for months at a time while their otherwise closed source vendors would take months at a time.

Poetry #42: another bump

[This was originally published in F.U.C.K. poetry Issue #42. The publish date is approximate.]

eyes blind to the sun
i feel my faithless soul
pour forth from fingertips

if not the need to feel
flight from pain would be king
seven elements of strife i dare not define
a worthy partner may bring three
more lends to reconsider
crown of pain that blinds
unfeeling sympathy turned inward
familiar numbness quicker to take
drag back the solitude as it slithers away
reconstruct the shell few could break
her forgiven, myself reduced to shame
and with the passing wind
another bump in life, forgotten but felt

#579: Rest In Peace

[F.U.C.K. is an e-zine that I started on January 24, 1993 and ended on January 24, 2000. One concept is that articles should be timeless if possible, so they were not released with dates. This was the only file released with a date.]

They say that all good things must come to an end. If they were truly good, I doubt they would end.

To many, this file should not come as any surprise. With the last year came very few releases for the zine. Many say the quality of them had gone down as well, but that is a matter of personal taste.

I am well aware of the arguments for keeping the zine alive. It takes no effort to just leave it on the back burner and not kill it off. While true, I think it does a disservice to our readers. It gives them the illusion that it will one day come back and be an active publication. Mind you, based on submissions it easily could be. However, on the part of those running it, the inflow of new articles is still not enough to keep the interest.

I have been thinking for the past week or so on how to end this zine. A journal of sorts that has lasted most of my adult life. Seven years in the making. A sounding board to dozens of people who felt it was the best voice to carry their thoughts and feelings. The zine was being read worldwide before the first issue was posted to an Internet FTP site. Having that kind of readership at the time was a phenomenal tool to the handful of writers.

Rather than end this with a long rant, I think it more appropriate to end it on a short note. From here on out, F.U.C.K. is dead. While not impossible, it is quite improbable that it will be brought back to life. New rants and articles can be found on my new hobby, Attrition (www.attrition.org).

After this file is posted to the FUCK mail list (fuck@attrition.org), I will open the list for unmoderated discussion. That will leave the wouldbe writers a forum to share their ideas. I also encourage the writers who submitted files that were not published to resubmit them to other zines. Just because I didn’t get around to your file doesn’t mean it wasn’t worth reading. Further, FUCK Poetry Venture will continue on. Submissions to jericho@attrition.org, subscribe to the list by mailing majordomo@attrition.org with ‘subscribe fuckpoem’ in the body of the message.

It’s been a fun ride.

aka Jericho

Jan 24, 1993 – Jan 24, 2000

Poetry: forsaken

[This was originally published on attrition.org. The exact publication date is not known. This was written between 1998 – 1999.]

        forsaken, lest my gods roam
        todays scorn mixed with yesteryear shame

        igh nah sergaht
           nith ra tu ze dah'
              - and my shame runs deep

        lonely tear flees from mine eye
        crashes down onto a denim knee
        finally caught in my only lie
        blind reading of a history i didn't see

        muinq'elare' de solarith
           se' pah sempre ilrah
              - for guilt is a ruling passion

        eighty two decades in one stay
        long nights in an otherwise short life
        a world rapidly on the downward spiral
        another last chance to right my wrong

        az de larr telorono 'cha
           min ara'stuhl to endenare'
              - to kill the sadness

        one trespass into restricted thinking
        to flesh out the pain we feel
        the solitude we want, we demand
        irony splashes off our reality again

        with pain
        one is undone
        and attrition is my name