[Novalug] linux update security?

[Nick Danger]

A long thought out response

Anthony Soucek wrote:
> Okay, I come from the world of windows, but here's me asking how linux
> can be so secure?  It almost appears that it is is considered more
> secure only due to the fact that hackers dont want to bother with the
> 5% of computers in the world running linux ( I heard ms has 75% of pcs
> probably an estimate, an some have to be Mac and BSD etc).  

You make two points here, one is the percentage of machines running 
Linux, the second is that hackers won't bother with a low percentage. I 
really can't tell you the percentage of machines running Linux on the 
internet, but your numbers will vary widely depending on what sub group 
you focus on. Email servers? Lots. Web servers? Lots. Servers running 
Exchange? None :-)

The second point about being a less attractive target, well now you get 
into hacker/bad guy mentality and I just don't think its that easy. 
There was a panting stolen from a Brazillian museum just recently. They 
stole some Picassos. There is a pretty low percentage of art museums in 
the world, and an even lower percentage of Picasso paintings. I do 
believe that the harder it is to break into, a criminal will most likely 
pick an easier target, but I don't believe that you can simply 
discourage everyone from a hack attempt because of your choice of OS. 
Sure most criminals will go after the low hanging fruit, but you can't 
tell me that most of the major credit card number database thefts were 
run on XP machines...

> I heard
> that someone recently put a backdoor in the source for squirrel mail
> at least at the redistribution level.  I know you can check the md5
> checksums of your updates to guarantee that they are the same as the
> original but I have also heard that two different files can produce
> the same hash result, so a hacker can tweak run the md5 hash until
> they find a variant that produces the same md5, even though the
> content is different.

True, someone did hack into SquirrelMail. I don't run it so I don't have 
links, someone else can post. Yes, MD5 checksums are not the most secure 
things in the world. And yes, it is theoretically possible for two files 
to have the same checksum. (see: http://en.wikipedia.org/wiki/MD5) But 
think about this for a minute, you are taking a stream of input (the 
file) and generating a checksum, then trying to create an entirely 
different file, to generate the same checksum using a different stream 
that contains SPECIFIC data. That is, you aren't just generating random 
text to make a duplicate MD5, you want the original source + your hack 
to generate the same checksum. Not a trivial task. Which if you believe 
your first thing about going after low percentages, this is not a very 
attractive target for ease of exploit ;-) There are several other 
checksum programs out there, and I think soon you'll start seeing the 
others more frequently. Many of the sites I download from feature two or 
three different hashs (MD5, SHA) to further limit the chances of a 
trojan making its way in.

>   Also, What about firewalls?  I know that mostly
> services are off unless you turn them on in linux, but I am not so
> sure that is as true for non technical user distros like Ubuntu?  I
> know you can manually create a firewall with IP chains or something,
> but if your running Ubuntu or Linspire,  that is probably beyond the
> average users skill level. 

IPChains? Either you tried linux a long time ago and were discouraged OR 
you have more knowledge then you profess. IPChains was in kernel 2.2, 
the newest kernels (2.4) use IPTables. There are very simple graphical 
firewall programs for Linux that generate rulesets for you. Both Ubuntu 
and Linspire come with a variety of them. I don't expect my 
administrators to do IPtables rules by hand without checking the man 
page (I frequently have to refer to it myself) so I would never expect a 
new or casual user to do that. The graphic tools are very easy.

>  And when you run updates, if you get them
> from the community and not the distro vendor, You will be prompted in
> Ubuntu that this update may not be safe because it's from an
> unauthorized source, so theortetically, a bad guy could write some
> small program, and then put out an update that changes it into
> malware. 
If you are running something like RedHat Enterprise Linux, your updates 
from from RedHat. Ubuntu updates from from various sources. You can 
chose where/when to get your updates from. Yes, someone can infect an 
update (just like the squirrelmail incident you mentioned earlier) and 
it could spread. Depending on where you get your updates from, this is 
more or less of an issue.


>  is anybody else worried about this stuff?  I am not trying
> to get anyone irked here, but I am interested to see if anyone can
> explain how these threats could be impossible or avoided.  I realize
> linux is more secure than windows xp out of the box, (security by
> obscurity) but I can also see how open source is and invitation to
> trouble.
>   

People worry about this stuff all the time. I'm sure I'm not the only 
paranoid person on this list. No threat can be made impossible. The fact 
that you are doing ANYTHING makes you vulnerable. And there is always 
someone out there that wants what you have. This is more a social/human 
issue, not really a technical issue. We can do our best to minimize it 
(read any basic security manual) but we can never eliminate it.  
"Invitation to trouble." Interesting choice of words. You can turn that 
around with all kinds of philosphical debates like "Know thy enemy", 
"learn from past mistakes", or one of my personal favorites, "Locks only 
keep honest people honest." What does all that mean? Nothing really. 
People have many many was to reach the same goal, and in the end, the 
goal you are reaching is a more secure OS. If security is your major 
goal, there are choices you can make to give you a better secure 
platform, but the cost is usually too high for most people.

Nick
"access all secret files now<cr>"