Author: Wolf Halton, Senior Security Consultant, Halton Technical Services

Read Wolf Halton’s questions and answers on Open Source Security and what it means to your organization.

What Does “Open Source” Mean?
Open Source is a buzz-word that has been going around for over 20 years. In 1984 the Gnu Project launched with the purpose of producing an entirely free UNIX-Like operating system. When they said “free” they meant “Free, as in ‘Free Speech’ not free as in ‘free beer’.” Open Source software projects allow end-users to adjust or add features to software for whatever purpose they wish. There is no law against this and it is encouraged. If you have requirements that the software might be able to fill, and you are (or hire) a programmer who is equal to the task of adding features to that software, the license of an Open Source software product allows you to do just that. This is the philosophy of Open Source, as laid out by the GPL (GNU General Public License). GPL and many other similar licenses, are concerned with making sure that the additions to the standard release of a piece of software called by a specific name (Linux, for instance) contains all of the source code so that any competent programmer could compile the software. This concept is part of a legal concept called Copyleft. Copyleft, as opposed to Copyright, is designed to protect the end-user as well as the programmers in all cases. It is designed to ensure that the software remains open-source and that all derivative works be published as open-source as well. This is different from publishing as “Public Domain” in that Public Domain may be used in any way including deeming it proprietary and selling a version of it with closed source code so users may not modify it to suit their utility needs. This is also not like the concept of “Shareware” in which case the software is free to use for some trial period, after which the users are expected to pay some named fee to the Owner of the source code. Source code is not distributed with most shareware.

Charging for open-source software is ok, though in many cases the developers get paid through sale of physically tangible items, such as CDs or non-tangible items such as support services of additional features that your company might need, but which the average user has not requested.

What Does Open Source Mean to My Organization?
Because the philosophy of Open Source allows any user to modify the software for any useful purpose, many people including programmers, project managers, technical writers and graphic artists have donated thousands of hours to developing the software to its current state, and they will not stop donating their time to the project because you have downloaded the product or bought a DVD with the software on it. This constitutes a major savings for you, either when compared to the license fees of proprietary software, or when compared to the cost to develop an entirely new custom software product.

As an example, you could purchase licenses for Microsoft’s Office 2007 Productivity Suite for your 100 employees. Assuming you wanted the cheapest version available, you will still pay in excess of $100 per installation, and since the 2007 version is almost entirely different from Office 2000 or 2003, you will encounter a learning curve as your employees learn how to do what they must on the new software. It is almost impossible to tell how much of a slow-down you will experience, especially if the implementation is staggered, but for the sake of argument, let’s give that a value of reducing productivity only 10 percent for a month. This is a lot less than the productivity hit you would have if you hired all new employees, but still a notable amount. So if productivity drops 10%, then you have effectively lowered the profit margin by increasing the time required to do the same work. If you have 100 employees who effectively got a 10% raise as related to their productivity, and each made $10 per hour before the change, that means a cost of approximately $100 per hour for the month they are getting used to the new software. Hardly any companies would consider training the employees for this “upgrade” so hardly any company will avoid this “hidden cost” of the major upgrade. $100 x 8 hours x 25 days in a month would run somewhere in the neighborhood. This gives you a visible cost of $10,000 for software licenses, and a hidden cost of $20,000 in lost productivity.

If you chose instead to use the OpenOffice.org Office Productivity Suite, which has a Copyleft license, and which would be perceived as a major change by the employees, you would incur a licensing cost of $0 to download the package to one computer, and copy that to a DVD or CD for installation to all 100 machines. The physical installation would be the same with either software package. I would strongly suggest you develop a “named project” to roll out this software and include a customized training program developed for your employees to reduce or eliminate the productivity hit you would take as they learned to operate the software. Let’s say this project, which would include making sure the new software included the standard macros your company used, and the training, cost you $200 per seat, or $20,000. This gives you a net cost of $20,000 with negligible hidden productivity degradation.

“Open Source” May Not Mean “Open Standard”
In the example above, I used OpenOffice.org as the Open Source software package because OOo uses the OASIS open-document standard as its default document style. Some Open Source office suites use their own non-standard document format as the default, and this can cause the same problems that any other closed format, not based upon open standards can cause. The Microsoft .doc standard has changed dramatically several times, and the newer versions are not compatible with the older software. This is understandable, since the newer formats allow you to do more with them. What is wrong with closed standards is that in some cases, older documents, produced with the older software are not readable by the newer closed-source software produced by the same company. This means a software provider can prevent you from accessing your legacy data, and other companies are prevented by law and convention from developing a product to help you read and update your own documents.

Why is Open Source software more secure than Closed Source software?
Contrary to popular belief, just slapping the label “Open-Source” does not make a software package safer. A poorly-designed open-source package may be just as susceptible to hacking as a poorly-designed closed-source package. Where open-source thinking pulls ahead is that any user may find and fix a security issue they discover, while in the closed-source world, anybody may find a security issue and alert the owner of the software to its existence, however a non-owner may not fix the problem. Once the owner of the software is alerted to the issue, they must put it into the change board for that package, after which it is considered by the project manager and change board for inclusion in the next version of the software or, if it is extremely severe, it may be included as a “security patch” on the current version of the software. Usually, security patches on proprietary software are free to the license-holders. Usually, license-holders have to search around for these security patches.

Poorly-designed open-source packages tend to be re-designed or they die. When there is no buy-in from the community for your project, it is left to die quietly on its own, and the developers who started the project move on to join other projects or start new projects. Poorly-designed proprietary software projects, may fail in the marketplace, but if they are heavily funded, they may persist for years, by virtue of the company’s investment in marketing. Though marketing is my second-favorite hobby; behind developing infrastructure around OpenOffice.org, Ubuntu Linux and other open-source projects; marketing can have the effect keeping an iffy project that has already had a lot of media send-up because of the current level of investment. Some companies use their marketing to spread fear, uncertainty and doubt about open source. This was and remains fairly simple because there is no single voice for Open Source. The “Open-Source Community” is not actually a single coherent and cohesive body with specific goals shared by all, so almost any proprietary software, presented by an organization with a reasonable marketing budget, can gain market-share or mind-share by bashing Open Source.

What Makes Linux So Secure?
Linux has a reputation for being secure because Linus Torvalds and the other early developers had 30 years of UNIX development to consider. When you consider that the Internet did not exist when UNIX was designed, it is a bit surprising that the developers were already thinking of the operating system as being part of a network. The GNU Project, and Torvalds (who is not particularly a member of the GNU Project) were able to recognize that any user session where the user had full administrative authority could lead to a catastrophic failure of the computer, even if the failure amounted to an operator error rather than an actual attack. Linux applications, or more correctly GNU/Linux applications are generally designed with security held in mind first, and if one developer produced some code that was not secure, there were dozens of people inspecting the code – looking for ways it could break, and fixing the breaks. In this way, all the developers got better by looking at all sorts of code and fixing it. This does not mean that Microsoft could fix their security issues by hiring 10,000 developers. Somehow, once a person is on salary, their employers want them to be producing something every minute of the day, so the creativity that hobby developers display is not so apparent.

Thousands of eyes, looking at the Linux kernel has resulted in a strong and secure kernel. This process is not intended to be perfect, but it is intended to be fun. The level of accuracy and the speed of security patch availability are directly the result of the development and distribution process being fun.

Which Linux Should I Choose?
This question breaks down into several considerations. The Linux kernel is included in over a hundred Linux Distributions or Distros. A Distro contains the Linux kernel, a relatively standard group of Command Line Interface (CLI) utilities, and approximately 2000 applications. The standard installation for a desktop includes at least one Graphic User Interface (GUI) desktop, which is like the Windows graphic interface and explorer.exe file manager. The three most common Distros I see are Ubuntu, Fedora/Red Hat, Knoppix and S.U.S.E. They all have distinctions that might or might not matter to you in your choice of distro. They are all equally secure because they follow the following rules as far as default installations are concerned.

1.) Services are off by default, rather than on
2.) The built-in (kernel module) firewall is turned on by default
3.) The root user, the Linux equivalent of Windows “administrator” is not the default user. The default user profile is limited in what it can do. A Linux user can not edit system configurations, or modify system folders. Almost 100% of my computer use is on a Linux box. I am a network engineer, and I spend more time editing system settings than an average user, but I spend less than 10% of my work time acting as root.

Ubuntu
http://Ubuntu.org
Here is my Ubuntu 7.04 Desktop. Ubuntu is one of the top 10 Distros on http://distrowatch.com based on page hits. I like Ubuntu because the support forum is very good and it is designed to be simple to operate. It also uses a special utility by default called sudo. Sudo lets a user who is authorized as a “sudoer” enter a logged superuser mode to effect system changes.

The logged mode lets you figure out what you might have done as root to mess up a system. Straight “root” mode assumes that you know what you are doing, and does not log your progress. Especially in the case where more than one person is responsible for administering a system, it is very helpful to have a log of each sudoer’s actions. In the default Ubuntu installation, the root password is not given to the default user defined during the installation process. As in any UNIX-like system, the root password can be changed so that you have the information, but if you are using the sudo command, you do not need that information to proceed.

This appears to be about ½ the original 19” diagonal display I am actually looking at. This is a Gnome Desktop. Gnome is one of the top 3 desktops you are likely to see on an Ubuntu Linux box. There are three main Ubuntu Distros; the standard download that by default gives you Gnome, Kubuntu, which gives you the “K” Desktop Environment (KDE) and the Xubuntu distro that comes by default with the XFCE desktop. Various people like different things about each desktop choice, but it is essentially a subjective choice. I like my icons spread around in shoals that make sense to me. You might like you icons in orderly vertical (or horizontal) rows. Everyone gets to choose.

Controls on a Gnome Desktop
I have left my customization minor, so you could get the idea of what is important, and available on a default installation. In the top left corner is the Gnome Menu. The Menu has three drop-downs.

Applications – Containing the GUI applications you will use to produce documents, surf the internet, check your mail and play Freecell or Mines. “Who loves ya, Baby?” Linux desktops come with 8 or 10 games. The next tab is…

Places – You would look here to find your file manager windows, and your “network neighborhood” of servers and co-workers. Linux lets you share folders with both your Linux-using co-workers and your Windows-using coworkers. The last tab is…

System – This is where your user-interface controls and system configuration GUI dialogs can be found.

Next to the Gnome Menu on my machine are “quickstart” icons for a terminal window, Firefox Web Browser and Evolution Mail Client. These are probably the three applications I use the most, followed by the OpenOffice Writer application found under Applications –> Office.

On the top right corner are a System monitor Icon, with which I can get a snapshot of how much CPU time and RAM I am using at any time. I can click on that icon and open the system monitor application. This is a bit like the Windows Task manager, but I have a lot more control of what is going on in my system than the Task Manager gives me on a Windows box. Next, in the illustration is an icon that tells you the “music or movie player is running. I am listening to a seminar while I write this. Next is an indicator of whether my network interface card is working properly, then the master sound volume icon, and then a “clock and calendar” button, which is integrated with my Evolution calendar application, so I can just click the clock to add an appointment or look at a detailed monthly calendar. Finally there is a “Shut-down” button that lets me choose whether to lock the screen, put the OS into hibernation, log out of the session, restart the machine or actually shut it down entirely.

On the lower left is the “Show Desktop” button, which minimizes all open windows on the desktop, or if they are all minimized, hitting the button makes them all visible.

On the lower right is the desktop selector, which by default lets you swap between two identical desktops with different applications running on them. This can be a security feature, in the case of somebody attempting to “shoulder-surf” and peek at what you are doing. The buttons on the lower task bar only show the applications on the visible desktop, so if you are doing the accounting on your first desktop and writing email on the second, a shoulder-surfer can only see what is on the desktop you are working on. Accidentally giving away file names by having them available at the task bar becomes a thing of the past. Next to the Desktop chooser is the “Trash” icon. If you click this icon, the trash folder appears. You can delete or restore items from the trash window.

Now what about window style, or theme? I have modified my color-scheme a bit but I am currently using the default window dressing. Applications and File Manager windows have the same three icons on the right that you are used to; the minimizer, the maximize window toggle and the close window X.

Fedora
http://fedoraproject.org/

To View Fedora screenshot click here.

Fedora is a Distro that spun off the Red Hat Distro a few years ago. Fedora, once called Fedora Core, is an experimental testbed for Red Hat’s Enterprise Server Distro. Fedora is very popular with students because it is available free of charge and lets them learn to work on the Red Hat model without having to spend for Red Hat Services and Support. Red Hat’s Enterprise server is very common in production environments, while Fedora is considered unstable. I have found that the current version -1 is pretty stable. The default KDE look includes a “K” icon in the lower right corner which is intended to be the equivalent to the Start button in Windows. KDE is often touted as a very “Windows-like” Linux Desktop gives you 4 desktops in the desktop chooser.

Novell S.U.S.E Enterprise Linux
http://www.novell.com/linux/preview.html

To view a S.U.S.E Screenshot click here.

Novell made the news by making a truce with Microsoft to the effect that Microsoft would never sue anybody who was using S.U.S.E in the event that Microsoft found that Linux contained any Microsoft code. This was a pretty clear case of spreading fear and doubt around the non-Linux community. Nobody likes to think they could be sued by as avid a litigator as Microsoft. Microsoft hasn’t come across with any evidence that anybody has added MS code to Linux, but the threat was sufficient to get a couple of companies to make the truce with Microsoft. When I heard about this, I immediately considered whether I could fly a suit based on my owning the rights to the digits 1 and 0, but I found that several others came up with that angle at about the same time.

Knoppix
http://www.knoppix.com/

To view a Knoppix screen shot click here.

Knoppix is a Distro designed NOT to be installed on your hard drive. Most Knoppix users run Knoppix from the “Live CD.” The default Knoppix desktop is Fluxbox, a very minimal desktop environment and window manager. Knoppix is great when your computer will not start from the hard drive, or when you do not normally have access to a particular computer. You load the Knoppix CD and restart the box, choosing “Boot from CD” during the POST process. This Distro works well as a troubleshooting tool, but it is probably not your Distro of choice for a regular desktop.

There are at least 4 major, commonly used Desktop environments, and I have chosen screenshots with different ones to show how interchangeable they are. Everybody gets to choose which Desktop fits their technical requirements and their personal aesthetic taste.

What About Viruses and Spyware?
Most viruses, worms and Trojan Horses are written for Windows. There are a few aimed at MacOS and there are even a few aimed at Linux. Windows has the largest consumer installed base, and this makes Windows the natural prey of virus writers. Think of it this way. If you were going to spend hours or weeks doing unpaid work, you would want that work to have the highest possible impact, wouldn’t you? It is easier to write high-impact system-level malware for Windows than for Mac or Linux.

Windows uses “invisible” system-level shares of the entire C: drive which worms use to migrate from machine to machine. You will not see this share on your Windows Network Neighborhood. You can remove it manually, but it will be back when you reboot the machine. Even with a strong intention on your part to run 100% of the time, your Windows machine will require a reboot at least once a month This attack vector is not patrolled by antivirus programs, and with it, worms like Code Red and Nimda can move out into your Windows LAN from an infected machine in a span of seconds. Also, Windows application programmers often write software that will not run in a limited profile. A surprising number of applications require that you run as Administrator all the time. When average users are habitually running administrative privileges, a piece of malware has the highest possible chance of doing the most damage.

Linux is harder to attack, the attacks are less fruitful and there are fewer uninformed Linux users. Then you get the positive effect that a virus that attacks Linux is seen very quickly by highly-trained volunteers who are empowered to act for the good of the Linux Community. I do not have an anti-virus application on my Ubuntu server because it is just not necessary. If I wanted one, there is a free Open-Source package, ClamAV, that is available on the Internet.

This “community” aspect of Open Source cannot be over-emphasized. People who feel their input is valued and appreciated will do more to become more educated so their efforts gain more value and are more appreciated. Consider the implications of the fact that at 7am Eastern, on a Monday, there are 4194 currently-active users on the Ubuntu Support Forum http://ubuntuforums.org (480 members and 3714 guests). Most questions are answered in minutes. This is an all-volunteer group. There may be employees of Canonical, the company that supports the Ubuntu Linux Project, active on the list but they are not visible as “official answer-givers.” By comparison http://windowsbbs.com has 692 currently active users (11 members and 681 guests). This tells us that 11% of the currently active Ubuntu support site visitors are members (can ask and answer questions) and 1.5% of the volunteer Windows support site visitors are members. This is not intended to be a statement or invariant truth but it follows the trend that I have seen all over the Open-Source world. The “dynamics of forums” is a story for another time, but my conclusion is that Open Source people like to help each other.

What about Support?
Most companies that will support your Windows machines will support your Linux systems as well. My support business generally shows from 10 to 20 times as many Windows-related trouble tickets than Linux-related tickets. and the neat thing about Linux issues is they stay fixed. Once a printing issue is solved, it stays solved (even if the OS is upgraded to the next major version). If you have more than 50 users on your network, you probably have dedicated IT staff who would be overjoyed if you were to consider using Linux on the machines that do not run applications that require Windows. It might surprise you how much in-house knowledge you already have. Linux on the desktop allows your IT staff more time to optimize the network and make things work better. Keeping the IT staff busy doing unnecessary busywork, like cleaning worms off of (re)infected machines, keeps them from doing preventive maintenance.

Wolf Halton, Security Writer / Open Source Security Consultant
To get a sample chapter of Wolf’s new book
ComputerSecurity and Penetration Testing, subscribe to Secret2Security Newsletter

This entry was posted on Wednesday, October 17th, 2007 at 10:11 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.