GNU/Linux Security: Ubuntu has been Cracked!

[Notice: If you do not like the title, read the article anyway. Otherwise, there is no point in sending me a comment as I will not post comments that state something like, "Your title suxxors! I refused to read your article after I read the first paragraph! You're just trying to boost traffic to your site! You're lame!!" Do you also go around judging books by their covers? ]

Okay, I admit I created that title just to get your attention. It worked, you're here. What is the reason for such a provocative title? Other than the obvious tabloid hook, I want to explore the future of GNU/Linux. You know, the time in the near future when "Once 'Linux' is (as|more) popular (as|than) 'Windows' it will start getting all those viruses too."

First off, the problem with that statement is that there is no single homogeneous 'Linux' to be attacked, meaning GNU/Linux of course, as there is a single 'Windows' to be attacked. There are several hundred distributions of GNU/Linux all with differing release versions of software and underlying software libraries. The very heterogeneous nature of the GNU/Linux ecosystem makes creating a far reaching automatic malware attack difficult to unlikely. While one may find a way to automatically attack a large user base of a single distribution, like that of Ubuntu, the attack will not likely work across all or even most other GNU/Linux distributions due to the diverse nature of the versions of included software.

Calls from people without and within the FLOSS community to create a "single Linux" or to standardise all distributions are a danger to the security that is inherent in the healthy heterogeneity of GNU/Linux. No, I do not mean "security through obscurity", I mean security through diversity. Part of the problem with the Microsoft install base is that the Microsoft systems in use are all very similar. An automated attack that works on one of them will more than likely work on most of them. If there ever becomes a single GNU/Linux that contains 80% or more of the market then GNU/Linux will be less secure as a result. (See my correction for the previous sentence in comment #25.) In such a future a theoretical automated attack that could infect one GNU/Linux system would have far reaching consequences. Just as the malware that affects Microsoft systems has today.

We all know the weakest security link in a system is the user. I predict that social engineering attacks will be the most prevalent method of attempting to subvert GNU/Linux users. Even today a naive user running GNU/Linux could still be subverted with a phishing scam. However, since GNU/Linux has traditional Unix privilege separation an automated attack that can take over the computer from an unprivileged user login becomes much more difficult. Under traditional Unix privilege separation a non-root ("root" equals "administrator"), unprivileged user cannot change the system files. Could one overcome this privilege separation? Perhaps on a single distribution one could if one put enough time and effort into it at the time a security flaw that allows privilege escalation^[1] is first discovered. But to make such an attack work across the huge diverse GNU/Linux ecosystem would be near to zero. That is, as long as GNU/Linux remains a diverse ecosystem.

What about the users that do not ever update their systems? Yes, this will still be a problem under GNU/Linux in the future of its World Dominance. There will always be users that do not update their systems either through apathy or ignorance. Any update that requires user intervention is unlikely to be installed by these users. Automated updates that are on by default can do much to overcome this problem. There are problems with automated updates too though. In some cases an automated update may cause a system problem. For example an update to the X windowing system that includes a new 3D driver may cause the GUI to not work on some systems. Should a problem like this affect a huge user base it would be a PR disaster. So, turning on automated updates by default is not encouraged in most cases.

What is the answer to the apathetic user problem? I do not have it. Some people just do not care about the security processes they need to know to be secure. There is no way to make them care unless they actually end up with a malware infection. Of course at that point these people are more likely to blame the operating system or the malware authors than themselves.

We can address the ignorant user problem though. Just because a user is ignorant does not mean the user is "stupid". Almost all users that fall in the ignorant category can be taught to protect themselves if they have an opportunity to learn good security processes and know they need to learn them. A local Linux User Group (LUG) can be an excellent source of training for our world full of future GNU/Linux users. If you do not have a LUG near you, then start one. Once you have, or discover, a local LUG then occasionally offer a Security Process Training Day through your LUG that covers the basics of what users need to know to keep their GNU/Linux systems secure and happy. Then encourage everyone you know that uses GNU/Linux near you to attend. You may even be able to get "free" advertising through local media outlets for a non-profit LUG.

The Bottom Line: We in the GNU/Linux community need to be proactive with our family, friends and neighbours that decide to use a GNU/Linux distribution. Since most of us already know and practice good security processes we can pass along our knowledge to the new user that may be ignorant but is willing to learn. For any user we run across that is apathetic about security we can encourage them to stick with Microsoft. After all, the apathetic users are already a drag on the Microsoft user base, let's not encourage them to bring their problems to our platform. Am I blaming these users? Yes, I am in the case of apathy. Sometimes the blame falls squarely in the lap of the user. Apathy about security is one of those "sometimes".

[1] Privilege escalation attacks take advantage of a flaw in a system level service that may be running with higher level privilege than a regular user. Exploiting the flaw gives the attacker a higher level of access which may allow compromising the operating system itself. These types of flaws can be found in any operating system at any time. GNU/Linux is no exception.

Read the next article in this series: GNU/Linux Security: Linux House vs Microsoft House

Internal ERACC advertisement: Windows users – need anti-malware (anti-virus) software? Get it from our on-line shopping site here: AVG Software

This article has had this many unique views:

Powered by votectdirect.com school website.

Notice: All comments here are approved by a moderator before they will show up. Depending on the time of day this can take several hours. Please be patient and only post comments once. Thank you.

Edit Tue Oct 20 13:01:16 CDT 2009: Change "blatant deception" to "provocative title" in the first paragraph. I think some folks are imploding after seeing the words "blatant deception".