[linux-elitists] WashPost article (was Re: sobig.f: Microsoft Windows virus, not computer virus)

Don Marti dmarti@zgp.org
Mon Aug 25 10:46:42 PDT 2003


begin Karsten M. Self quotation of Sun, Aug 24, 2003 at 10:13:48PM +0100:

> Well, seeing as Microsoft have taken down the Internet three times this
> year, twice last week, I think it's about time for a Congressional
> investigation.

Certainly _not_ time for smug self-congratulation on our side.  (OK,
you can have five minutes of smug self-congratulation, then back
to work.)  There are plenty of Linux boxes that are not maintained
in a professional and secure manner, and a new exploit in commonly
used server software could erase all those PR gains.  Do you think
they'll call it a "computer" worm if it only affects a Free program?

Failing to draw lessons from this public experiment in insecure
software is like scientists observing that smoking is bad for mice,
and then just sticking their heads in the cage and taunting the mice.
"Ha, ha, rodents!  Squeak, squeak?  More like cough, cough!  Ha, ha!
Oh, hey, Dr. Koop, gimme a smoke, will ya?"

The big lesson here is that if you leave something unfixed, someone
will write a worm for it.  And that some people would rather leave
real security flaws unfixed than risk breaking something with the
update.  So if your role involves setting up systems for others
to administer (say, you're doing a distribution) you will improve
your reputation for security by making it inconvenient or noisy for
users not to check for and apply fixes.  And you should make your
update system really good so that people aren't afraid to use it.

Easily checked warning signs that a GNU/Linux box is at risk to be
compromised or spread a worm:

Mail for root is not aliased to a deliverable address, or mail for
root is piling up and hasn't been read in n days.

New versions of packages installed on the system have been available
from the configured package source for n days, but have not been
installed.

The package source is not configured.

The package source has not been checked for updates in n days.

A package that provides a network service is installed, but logs
show that the service is not being used.

The system clock is not in a trustworthy state.

I don't think it's unreasonable for a cron job to come along and
say, after appropriate warnings, "You're running daemons but we
haven't checked for updates in ten days, and nobody reads mail to
root on here, so I'm going to do an /etc/init.d/networking stop now.
If you care about this box you know where the console is."

-- 
Don Marti                Reform copyright law -- return abandoned works
http://zgp.org/~dmarti   to the public domain after 50 years:
dmarti@zgp.org           http://www.PetitionOnline.com/eldred/petition.html
KG6INA



More information about the linux-elitists mailing list