A handful of recent online attacks on free and open-source software servers has open-source developers looking over their shoulders.
Developers take Linux Attacks to Heart
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
The thing all of these attacks boils down to is that, Open-Source sites have just got lazy in their efforts to provide security to their servers. I don’t know what the reason is:
– Maybe they feel *nix is so secure that they don’t have to do anything extra to make sure that, that is actually true.
– Maybe with all the Microsoft bashing and security holes out there they feel nobody is gunning for them, and they just don’t bother.
– Maybe they feel all the developers of these exploits are Microsoft haters and would never attack an Open-Source-Community site.
I see this as a bad trend, because if these sites are getting attacked and hacked into, I don’t even want to think about the huge hosting companies that have half-incomident tech staff setting up servers every day.
It would be a good thing for the people who maintain these servers to start using things like SELinux to help prevent this sort of thing from happening again. As soon as FreeBSD 5.x become a production environment, I’d hope that the FreeBSD folks would use it as well.
Linux is just very relaxed about security, that’s all. Not anal enough. They should put more effort into making the kernel more secure instead of adding features all the time.
We don’t want to end up with yet another Microsoft which ten years from now declares that it will start thinking about security…
“The reason all the latest break-ins have been quickly noticed is that the master sites tend to be private and…various checks trigger”
What about all the not-latest break-ins?
Interesting to see comments that OSS developers are lazy and don’t care enough about security. From my perspective, all of these attacks were caught almost immediately, did no real damage, and were honestly and extensively investigated and reported on by the community.
That is remarkable to me, and I know nothing like that is common from the close-source community. Read Gentoo’s weekly letter, almost the entire thing covers what happened fairly in-depth, and directly from the developers.
I am sure if Microsoft’s servers were hacked we would first hear from a third-party source that had vague leaked information regarding it. Then soon after, an equally vague announcement from Microsoft saying everything was okay.
“Companies that want to have a high assurance that an attack hasn’t resulted in a security weakness will have to audit the code themselves”
Ammusing. For some reason a company that ensures that it is in no way shape or form liable for any losses incurred and in no way guarentees the correctness of code is more trustable than a community that does the same.
I want some of what they’re taking.
“The thing all of these attacks boils down to is that, Open-Source sites have just got lazy in their efforts to provide security to their servers. I don’t know what the reason is:”
Lazy?
The debian attack started through a compromised password; I believe from a developer’s compromised box. Sure, the developer should’ve avoided being compromised (however that happened…). -Then-, that password was used to get into some debian servers, and an -unknown- root exploit was used to get root. The binary with the exploit was encrypted (with burneye); it was then reverse-engineered, to find out that a normal bug-fix (a bug which had been fixed, in a routine way, a few months before) had closed a security hole unwittingly. Closing the security hole was good, but the lack of awareness about the security implications meant that older kernels hadn’t been backpatched with it, as it appeared to be a very minor bug.
The Gentoo server was compromised with a remote hole that impacted rsync servers. It was _also_ unknown (and technically, you shouldn’t be so quick to penalize unix admins on this one; it’s not been made public, last I checked, what OS it was actually running. It was a 3rd-party rsync server, not one that gentoo owned or controlled; it was sponsered.)
This was extensively analyzed, and a fixed version of rsync was available in about 36 -hours-.
“- Maybe they feel *nix is so secure that they don’t have to do anything extra to make sure that, that is actually true.”
Considering the length that they went to to figure out what happen, and the availability of a new version of rsync in less than two days, as well as quick backports of the brk() fix, they were -definately- doing a lot of extra stuff. Reversing encrypted executables is -not easy-.
“- Maybe with all the Microsoft bashing and security holes out there they feel nobody is gunning for them, and they just don’t bother.”
See above…
Unix servers do get frequently attacked. There are also quite a few tools to audit, log, analyze, etc attacks against unix-like systems. Some developers of debian, gentoo, and other distributions put in exceptional rapid effort to figure out what happened and fix it.
Microsoft bashing has -nothing- to do with this; I fail to see why you put it in. The “linux has no holes” idea is something which I personally have only seen said by those who want to attack linux, as a ‘quote’ from users. Microsoft products have security holes, often major ones. That has no impact on the security of unix, really, so let’s both drop it for this discussion.
“- Maybe they feel all the developers of these exploits are Microsoft haters and would never attack an Open-Source-Community site.”
Or not… have you ever read things which black-hats have posted? They’re not a community of Microsoft-haters.
Microsoft-haters usually can’t be bothered with Windows, whether to use or exploit it, unless forced.
“I see this as a bad trend, because if these sites are getting attacked and hacked into, I don’t even want to think about the huge hosting companies that have half-incomident tech staff setting up servers every day.”
Many sites can be cracked. Fortunately, unknown exploits are fairly rarely used, as compared to known ones; keeping your system up to date, as the admins of all the servers I have mentioned did, is decent protection, but not perfect. It’s an often quoted trueism that the only uncrackable computer is off, buried in concrete, surrounded by guards…
Could they have had even tighter systems? Possibly, but they were not by any means lax.
There was no lazyness whatsoever evident.
“Linux is just very relaxed about security, that’s all. Not anal enough. They should put more effort into making the kernel more secure instead of adding features all the time.”
Heard of SELinux? GRSecurity? Openwall? Systrace? In userspace, the gcc patch propolice?
Linux is -not- very relaxed about security. There are people actively developing some amazing security capabilities and restrictions for the linux kernel, as well as userspace. No, not every developer cares much about security; however, third parties read -all- the code that ends up in the kernel, and quite a few people actively look for bugs, whether general or security-related, and then fix them.
I’d list the features, but I’d probably run over the character limit. Check http://www.grsecurity.org/features.php for grsecurity, http://www.nsa.gov/selinux/faq.html for selinux, and google for anything else you may be curious about.
“We don’t want to end up with yet another Microsoft which ten years from now declares that it will start thinking about security…”
It’s not. Linux could definately benefit from more auditing; something like OpenBSD’s string cleanup might be nice. The typical unix security model is so/so, although with patches like selinux and systrace, this can be largely mitigated, and propolice makes buffer overflows harder to exploit.
Linux security has a long, long way to go, but there are definately people thinking of and actively improving it.
Just look at Red Hat’s RH 9 errata page, there is 10 for the month of November and all of them are security related.
The fact is that although in thoery, OSS software’s source code are open to any one to inspect, that doesn’t mean any one will have to take a look at it in a timely fashion.
“Just look at Red Hat’s RH 9 errata page, there is 10 for the month of November and all of them are security related.
The fact is that although in thoery, OSS software’s source code are open to any one to inspect, that doesn’t mean any one will have to take a look at it in a timely fashion.”
OSS is available for anyone’s inspection. It is true that for many obscure packages, this never gets done. For major packages such as apache and the linux kernel, there is quite a bit of auditing.
Red Hat packages -a lot- of software.
The vulnerable packages were in rsync (remote exploit), Net-SNMP (SNMP has a bad record, regardless of platform), the 2.4 kernel (the brk() vulnerability; local root), Pan (a newsreader; the vulnerability was just a DoS attack), iproute (local vulnerability), XFree86, Epic, zebra, PostgreSQL (buffer overflow), glibc, and ethereal (a packet sniffer).
The kernel and glibc are core utilities; to most users, so is Xfree86. The other packages are somewhat less used, but not obscure.
I would argue, however, that these errata prove that not only are bugs being found, they’re being fixed, and, from what I know of some of them, in a timely manner. It would be much better if the bugs didn’t exist; realistically, just because many eyes may potentially find many bugs, and fix them, does not mean that code springs secure from anyone’s head. I might trust Knuth to write something secure, given TeX’s general lack of bugs, but practically, although efforts can be made to improve code, and fix bugs that are found in existing code, there will be flaws.
It’s true that people don’t always inspect OSS code in a timely fashion. The bright side is that they at least have the option.
Don’t forget that a hacker can also inspect the source code and find a explorit to attack an OSS defact much easier as well. In this regard, the OSS is as naked as that Emperor.
“There is a cost for open source, in terms of business process,” Wood said. “I think that you are buying into the cost of doing your own integrity check and your own building process.”
Then it is surprising that a company that has the capability to audit their own code sells Operatings Systems that are full of vulnerabilities. I fail to see how anyone from Microsoft can give such a bold statement considering their track record.
Just look at Red Hat’s RH 9 errata page, there is 10 for the month of November and all of them are security related.
The fact is that although in thoery, OSS software’s source code are open to any one to inspect, that doesn’t mean any one will have to take a look at it in a timely fashion.
As a previous poster mentioned, the vulnerabilities found were from many different programs. Microsoft doesn’t have to account for and patch every program made for Windows. Microsoft doesn’t even let people know about the vulnerabilities until they have a patch, and that could be months from the initial discovery.
Don’t forget that a hacker can also inspect the source code and find a explorit to attack an OSS defact much easier as well. In this regard, the OSS is as naked as that Emperor.
So can anyone else, and fix that hole immediately. Fortunately it takes a much higher degree of talent to review source code and manipulate a vulnerability than it takes to write a simple script and bring Windows to its knees, all from an email.
“Just look at Red Hat’s RH 9 errata page, there is 10 for the month of November and all of them are security related.”
Not everyone runs these programs. Wait, let us make a page where all the Windows programs with their bugs are stated. Uh-oh, unfair compare detected.
“Don’t forget that a hacker can also inspect the source code and find a explorit to attack an OSS defact much easier as well. In this regard, the OSS is as naked as that Emperor.”
After that, it can be fixed. By anyone. Since anyone has the source. Ie or to defend it. Ofcourse freedom goes both ways. Duh.
Personally, nothing feels less shitty than when i notice there are tons of bugs in a certain program (MSIE) while only 1 company can fix it, which DOES NOT HAPPEN.
Also, a study a while ago stated that this doesn’t make closed source or open source necessarily more or less secure. Liuke i said, it goes both ways.
Some Borland program contained a backdoor for almost 10 years. Unnoticed.
If you think closed source is more secure than open source because the source is closed that is rather security throught obscurity.
Heard of SELinux? GRSecurity? Openwall? Systrace? In userspace, the gcc patch propolice?
Linux is -not- very relaxed about security. There are people actively developing some amazing security capabilities and restrictions for the linux kernel, as well as userspace. No, not every developer cares much about security; however, third parties read -all- the code that ends up in the kernel, and quite a few people actively look for bugs, whether general or security-related, and then fix them.
I’d list the features, but I’d probably run over the character limit. Check http://www.grsecurity.org/features.php for grsecurity, http://www.nsa.gov/selinux/faq.html for selinux, and google for anything else you may be curious about.
When did you actually see any of these things accepted into the main tree? When did you actually see anyone running SELinux in a production environment? Well? I thought so
Yeah, there are great security related projects built around Linux. Yeah, there are tons of nice patches. How does this really help if these are not accepted into the main tree because Linus feels like he doesn’t want to jeopardize speed in order to gain some security? Is speed more important than security?
Sure, in some cases, people have gone overboard with securing their OSes. Look at OpenBSD for example — they have crippled their OS in part. Still, it’s pretty damn secure. I won’t argue that.
The general policy of the Linux kernel developers is not to accept a security-related patch if it adds any extra overhead. Sometimes you just need to choose security over speed though.
This post was written from a Linux box, by the way. One with a heavily patched kernel
“When did you actually see any of these things accepted into the main tree? When did you actually see anyone running SELinux in a production environment? Well? I thought so
”
SELinux is being rolled into the main tree as we speak, and is already quite useable. And I realize that SELinux isn’t often used, and it’s my strong opinion that it should be.
Attack…attack…attack. From what I understand and this is my simple opinion, linux is about being open. Open in community, open in development, open in ideas and most definitely not insecure. The open source developers are not lazy, we have a huge array of developers the world over developing everything under the sun. It’s pretty hard to find a project that is not at least started. It is not lazy admins. Stop basking in the chance to be heard, fight the cause not the community of developers developing OS’s and applications that those other than themselves get rich off of. You want to complain about something, complain about the companies that are out there benefitting from open source works and giving very little back. my.02
“If you think closed source is more secure than open source because the source is closed that is rather security throught obscurity.”
in some way its necessary for a software to be released as closed source. depends on the situation though.
between windows & linux, i feel more safer on linux than windows (although i understand they are all the same :p)
If all people wont to do is secure a site why dont they use a seperate box with OpenBSD? Not that im saying thats all openBSD is good for, but they’ve obviously got linux there because thats what they like more and are more able to use. But if they where to learn the basics of firewall management under OpenBSD, they may save themselfs a headache.
“The general policy of the Linux kernel developers is not to accept a security-related patch if it adds any extra overhead.”
Could you post a link to that general policy? I’d be interested to read it if it was written by a kernel developer.
We don’t want to end up with yet another Microsoft which ten years from now declares that it will start thinking about security…
Sorry to mention this, but Linux is already a new windows in terms of both security and loads of other reasons.
The day Linux zealots started talking about Linux for the desktop, that very same day everything started going backwards in terms of security.
Was it because Linux lost the serverbattle to real Unix?
Anyway… the lovechild Linux is not so safe and it’s a drag, and we all know it… time to move on I guess…