As a professional Unix systems administrator, I'm concerned about system security. Keeping unauthorized users off my systems is simply part of my job; doing this requires vigilance in the form of monitoring performance, reading logs, and keeping patches up-to-date. For me, security is about security; it's about keeping my users' projects safe and keeping them comfortable despite a full-time connection to the Internet.
As Lead Coordinator of the Bastille Linux Project, a hardening script for Red Hat Linux, I thought my job was to make Linux more secure so beginning users could easily keep their boxes secure. Often, new Linux users have no experience as system administrators or often even any experience with Unix. I thought the best way to tackle the problem was to make it easy to do the right thing.
Recently, I've been asked lots of questions about Linux system security by reporters. Often, I'm put on the defensive right away: Does Linux have a security problem? Why is Linux less secure than other operating systems? Is open-source software inherently less secure than commercial systems?
I usually begin by explaining that more holes are reported in open-source software before they're exploited, and that the number of actually-exploited holes is no greater -- perhaps even less -- than commercial software. I explain that one reason there are so many break-ins into Linux systems is that there are so many Linux systems on the Internet, and I explain that Linux can be as secure as any other operating system.
But Linux does have a security problem. It's not a universal problem, but look at the following list of security Web sites, mailing lists, and update tools for some common Linux distributions:
These are all mainstream Linux distributions, tending towards a general audience; at the least, they're not aiming at the router market or the embedded devices market. These are all products intended to be used by normal people and thrown up on a corporate network or even the Internet. Some may be aimed at relatively expert users, but I'm a fairly advanced user myself, and I still expect that my software distributor is watching out for security at least minimally. That's one of the reasons I don't roll my own distribution.
Of the eight common distributions I could think of, three have nothing whatsoever to do with security, and at least one of the others didn't seem to be doing anything useful. No wonder Linux has a security problem: while those four distributions have probably less than a quarter of the Linux market, they tend to be high-profile distributions which garner more than their share of media coverage.
These distributions aren't just putting their users at risk; they're damaging Linux's credibility and its image in the marketplace. Every time I'm asked by a reporter why Linux is so insecure, I have to consider Caldera, Corel, Turbo Linux, and Slackware before I can answer. These distributions' total lack of concern with security is an embarrassment to the entire Linux and Open-Source communities.
Because of these distributions, I'm forced to admit to reporters that many Linux installations are insecure, and there's little the average user can do about it without dedicating an inordinate amount of time to security work. Most users aren't paid to worry about security, as I am. For many, computing may be only a small part of their work. These people can't rightly be asked to read Bugtraq; they've got work to do.
If only systems were kept up to patch, huge numbers of systems wouldn't be cracked. On the university campus where I work, systems have been exploited using the automount daemon bug which is more than a year old, and which has been patched nearly that long. Being a professional, I know that they shouldn't even be running it, because I know that they're not using it. But I can't expect them to know, and I can't even fix it myself: I didn't know that some of these machines existed until I found out that they'd been hacked. Asking these users to read a single, low-volume, vendor-specific mailing list is a pretty good solution -- when those lists exist.
Experienced users should abandon Linux distributions which don't provide security fixes in a timely manner and post that information to a Web site, a mailing list, or both. They should abandon these distributions not because they necessarily need the security notices for themselves, but because these distributions are ruining Linux's image not only with novice users, but with the reporters and editors who shape managers' opinions on whether Linux is a viable solution.
You may claim that you're a hobbyist, and you couldn't care less if businesses use Linux; that's your right, certainly. However, you lose nothing when businesses use Linux, you lose nothing when security updates are made available and publicized, and you gain nothing when businesses reject Linux because some vendor couldn't be bothered to package up an already publicly-available solution to a security hole.
The rest of us do lose. It hurts our professional reputations when we stand behind a piece of software with frequent and highly-publicized security lapses. It wastes our time, tracking down hacked user machines for which we're not responsible and rebuilding them from the ground up. It wastes our money, when businesses and government agencies buy more expensive hardware and software for the illusion of security.
Solving this problem isn't difficult or time consuming; simply pick distributions which express a basic level of concern for security issues, and let vendors know -- at trade shows, in e-mail, in letters to the editor of your favorite publication -- that security isn't just about security. It's about preserving our reputation for quality, and it's about saving time and money.
Jon Lasser is a Unix Systems Administrator, Lead Coordinator for the Bastille Linux Project, and author of a forthcoming Unix book from Macmillan tentatively titled Think Unix. He's never bothered to take a computer course, except a single Pascal class in high school. He lives in Baltimore with his wife Kathleen, and their three cats: Mallet, Dashigara, and Spike. If for some reason you want to know more, check out his home page.
We're eager to find people interested in writing editorials on software-related topics. We're flexible on length, style, and topic, so long as you know what you're talking about and back up your opinions with facts. Anyone who writes an editorial gets a freshmeat t-shirt from ThinkGeek in addition to 15 minutes of fame. If you think you'd like to try your hand at it, let firstname.lastname@example.org know what you'd like to write about.