Date: Tue, 3 Nov 1998 11:18:03 -0800 From: Security Watch <Security_Watch@infoworld.com> To: Security Watch <Security_Watch@infoworld.com> Subject: Re: various complaints about Linux security in InfoWorld Dear Readers: We appreciate your overwhelming concerns about our recent comments regarding Linux security. We too have been known to be passionate about a product we believe to be superior. In light of your passionate responses, we'd like to respond and better explain our comments regarding the Queso article and our mention of Linux. For starters, it should be known that we believe Linux to be a *great* operating system. In fact, I remember voting for it two years in a row as "Product of the Year" while working for the InfoWorld Test Center. I have run RedHat religously since 4.2 and use it at home, work, and recommend it as a desktop and server OS often. General comments about Linux security: 1) Linux has had more than its share of security problems. One only need to search security archives like Fyodor's Playhouse ( http://www.insecure.org/sploits.html), Technotronic ( http://www.technotronic.com), Rootshell (http://www.rootshell.com), or Butraq (http://www.geek-girl.com) to see Linux exploits surpassing any other operating system. For example, on Technotronic shows Linux having the biggest selection of exploits with 91, and on Fyodor shows Linux with 100 - the worst of any OS. Rootshell lists 102 for Linux, the second worst is Solaris with 64. 2) We consider the number of setUID files, setGID files, world writable files, number of default users, number of default services installed on a "stock" box to be a good indicator of its security profile. Throughout the years, Linux (at least RedHat) has been found in the labs to be one of the worst in these areas. For example, my stock installation of RedHat 5.1 has 1242 world writable files, OpenBSD has 142. 3) Security tests (in the lab) of "out-of-the-box" installations of Intel-based Unix operating systems (SCO, Solaris x86, OpenLinux, RedHat, and BSDI) using Internet Scanner by ISS has traditionally showed RedHat to have the largest number of security vulnerabilities. 4) Discussions with many in the field confirm our beliefs (right or wrong) that Linux is not considered the most secure OS. Many security professionals that I work with simply don't install Linux on systems that are made publicly available. Of course any box can be tightened down, but the risk of "default" installations is what you care about as a security professional and Linux hasn't traditionally come out on top in this category. Specific responses to a few reader comments: [Readers] - "If you're an anxious security manager hesitant to deploy a Linux system for fear of its gaping security problems, two recently released Unix programs will give you a reason" is unfair, unfounded, and our attempt to instill fear, uncertainty, and doubt (FUD) in the community. [InfoWorld] - On the contrary, we were trying to make the statement that despite some insecurity about Linux, you SHOULD deploy a Linux system in your enterprise. Our previous columns should back us up on this, "...if you're serious about your security and looking for the holes that crackers will find, then take the time to install a Linux box and use nmap." (see http://www.infoworld.com/cgi-bin/displayNew.pl?/security/980706sw.htm). [Readers] - "Please explain to me how the fact that certain TCP/IP stacks are identifiable remotely, make this a Linux specific problem?" [InfoWorld] - OF COURSE IT DOESN'T! And we cannot find where we stated or implied this in the column. The inclusion of Linux in the article was meant to instill the positive use of Linux in the enterprise for use in security related assessment. If you look at our other columns this should become clear. [Readers] - "I would argue that the "security problems" you see on Linux are due to it's status as a peer-reviewed, open source OS versus a proprietary OS such as Win95 or NT." [InfoWorld] - Other "open" code review operating systems like OpenBSD ( http://www.openbsd.org/security.html) do an excellent job with security. Many security professional we know believe as we do that the OpenBSD group and Theo de Raadt has made OpenBSD one of the most secure Unix variants in existence. Their open code review process is taken to another level. For anyone to make claims about Linux being a "secure OS" is simply spitting in the winds of history - securing an OS is a never-ending process, and there are more mature Unix variants that can lay much stronger claims to that achievement. On reflection, perhaps the word "gaping" could have been tempered or re-worded because we know of no current Linux-specific security holes that remain vulnerable. But the comment was meant to be a general one reflecting on the perception in the market rather than a statement to its security (although maybe our personal beliefs came through here). Believe it or not, the comment about Linux was meant to motivate folks to deploy Linux boxes in their environment, if nothing else to provide a mechanism to use Queso and Nmap TCP fingerprinting internally. Unfortunately, many of you felt this message did not come across. Stu and Joel Security Watch