Linux Security Fail - TechRepublic
General discussion
November 3, 2009 at 07:29 AM
dcolbertmatrixmso

Linux Security Fail

by dcolbertmatrixmso . Updated 15 years, 11 months ago

I’ve often spoken about my concerns about Linux generally being unpolished and rough – and my feeling has always been that the claims of “superior security” from the Linux camp are over-stated, because of this lack of polish, fit and finish. In particular, it seems that the relatively small percentage of machines out there mean that obscure but very dangerous issues are less likely to be discovered (the disputed, mythical, “security through obscurity” claim that Linux advocates say does not exist). With so many Win32/64 machines out there, a serious security flaw, even an obscure one, is likely to get noticed and brought to attention sooner, not later.
Today, I experienced a *great* example of this. I have an Ubuntu 9.04 box sitting at my desk running on a Dell Dimension 8200 P4 system. I use it for various work related duties, often when my Lenovo desktop is tied up doing other business. This morning, when I came in, the screen saver was displaying as normal. I started working on my Lenovo. After a while, I looked over, and to my surprise, the Ubuntu box was sitting at the desktop, with Firefox running, and I could see the page I was at (dnsstuff.com). Shocked, I moved the mouse and the display went black, and came up with the log-in screen, as if it had been displaying the screen-saver.

This is simply unacceptable, and I’ve *never* seen a Win32 machine do anything like this in years of experience. It is unpolished, lacking in sufficient QA, and not suitable to a corporate environment – plain and simple. This wasn’t OE – I didn’t use it and leave it unlocked. It was locked, the screen was on a screen saver, and suddenly, without any user interaction, it returned to a full desktop. That isn’t a minor security issue. It is a potentially HUGE issue – especially in an industry like mine, where there are strict HIPAA regulations on ePHI data. There are all kinds of ramifications of thinking you’ve securely locked your desktop from prying eyes, only to come back and see that desktop displayed to the world.

This isn’t an isolated event, either. The fact is, that since I started using Linux with Debian Sarge and Potato, I’ve seen too many issues like these where it is clear that a bunch of guys, working at the grass-roots level, with a lot of passion, when they’re not doing their day-jobs, simply can’t provide a quality security environment comparable to a major corporate interest with deep pockets and the workforce to sufficiently quality check their product. Linux may be fundamentally better at the foundation – but without the dollars and the manpower to develop strong, secure, reliable, polished things on top of that foundation, it doesn’t really matter.

A crashing screensaver should NEVER return you to a desktop. If I have *ever* seen this in a Windows environment, it was in Win 3.11 for Workstations (not NT). If the screensaver crashes, you should get returned to the login prompt with a black background, at the very least.

I’m totally blown away by this – and utterly disappointed in Ubuntu and Linux. This has a major impact on my reluctance to use Linux or Linux based devices throughout my environment for anything requiring enterprise class security. Unfortunately, I can’t reliably recreate this issue, because it just happened while it was sitting there. But if it only happens once in 1000 hours per 1000 workstations, that is too many times for something like this to occur.

This discussion is locked

All Comments