Titan Rain: reason to switch to Linux number 247,385,621
Respected computer security guru Bruce Schneier briefly weighs in on Titan Rain, the US governments code name for an ongoing series of highly skilled and organized hacking attacks carried out against US military networks and apparently originating in China.
The expert consensus, which I’m not sure I entirely agree with, is that Titan Rain is a Chinese military effort. While I’m not in a position to know who is behind the attacks, I know enough about the general topic of IT security to also know that few, if any, can really know that either.
The publicly stated reasoning behind that expert consensus is that, in the eyes of the experts, the attacks are so well skilled and organized that they simply have to have been carried out by a foreign military. I believe that reasoning reflects a certain statist chauvinism that, in defiance of almost all evidence, government organizations are bastions of competence. Chauvinists of this stripe have failed to learn the fourth generation warfare lessons of 9/11 — that states are not the only potential players on the battlefield. The attacks could be a Chinese military effort, or they could be something else. As a matter of fact, it’s entirely possible that a Chinese military hacking effort is going on AND something else is going on.
I believe we’ll hear more about this as time goes on and, as is typical with regard to wars and governments, that some of it will be accurate and some will be misinformation. One thing you can be sure of, though, is that as networks become just another arena for warfare to be conducted in, they will become a dangerous place for innocent civilians — just like any battlefield.
Because battlefields are dangerous places to be, it then becomes incumbent on every computer user to take personal initiative to educate themselves about computer security basics and attend to taking care of those computers and networks they are responsible for.
No operating system is “secure” all by itself. Rather, some are more easily securable than others. Easily in that context can be deceptive, though. Which would be easier to use, a single monkey wrench or a huge and diverse box of tools? Well, if you’re trying to accomplish a complex task, the whole toolbox is going to be “easier” in that it will have the flexibility to get the tasks done that you need to get done. You, though, are the one who has to figure out how to use those tools — and that can be hard for some people.
Microsoft Windows operating systems are, in my (relatively well informed) opinion, much more difficult to secure, even if you think they are easier to use. Instead, I advocate using open source operating systems, such as GNU/Linux or any of the BSD’s.
Fortunately, Linux is nowhere near as difficult to use as it used to be. In objective terms, it is no harder to learn to use than Microsoft Windows. It’s just different — so Windows users who switch to Linux will have a bit of a learning curve in terms of figuring out how to do similar things to what they did in Windows or what applications to use. It’s not rocket science, though — and you can’t continue to swim upstream, in terms of computer security, in the Microsoft Windows world forever. As the breaking news of Titan Rain shows, global events, or reality, won’t let you.
Share This
Man, you must be drinking some serious Kool-Aid there. There’s absolutely no reasonable way you can jump from Titan Rain and convert it into an argument pro Linux, because Linux isn’t inherently any more secure than Windows, and OS X isn’t either, and no platform is where programs are developed using essentially the same tools and processes as were invented in the 1970s for developing stand-alone, non-networked applications meant for use in drastically different conditions than exist in computing environments today.
No OS today is easy to secure, including Linux. It’s a plague of computing these days, and solutions to this exist, but they are so far still emerging. There’s no way people will be more secure today if they would all just switch to Linux. It would be as irrelevant as, dunno, switching from one brand of cigarettes to another, when what you really need is to quit smoking.
It’s interesting that you say that part about:
“no platform is where programs are developed using essentially the same tools and processes as were invented in the 1970s for developing stand-alone, non-networked applications meant for use in drastically different conditions than exist in computing environments today.”
…because it contrasts nicely with the following quote from this article:
“…by design Linux is inherently more secure than Windows.
From the ground up, Linux was designed to be a multi-user, networked operating system. Even now, Windows shows its creaky history as the descendent of a single-user, stand-alone PC operating system.”
Now, granted, you’re talking about applications (and development tools in particular) in the part I quoted, while that’s talking about operating systems. The security advantages of using a network aware text editor or compiler are not immediately obvious (compared to a network aware programmer), but hey, I’m willing to listen.
Also, while Schneier may or may not think Titan Rain is an appropriate segue (Can you say “botnet” boys and girls? Goood.) — he does at least somewhat agree with me on linux security.
Not that Schneier is the ultimate authoritative voice on anything, but he’s no lightweight either.
I would agree with you that:
“No OS today is easy to secure, including Linux.”
As I noted:
“No operating system is secure all by itself. Rather, some are more easily securable than others.”
It might seem like splitting hairs on my part, but there is a big difference between “easy to secure” and “more easily securable” — as in easiER. Some difficult things are more or less difficult than others.
Security is by no means something that can just be acquired by switching operating systems. However, when a growing body of evidence indicates that use of one set of tools to do a complex task amounts to self-sabotage in the effort, then the way forward becomes clear.
From the ground up, Linux was designed to be a multi-user, networked operating system. Even now, Windows shows its creaky history as the descendent of a single-user, stand-alone PC operating system.
Baloney. Windows 2000, Windows XP, and Windows 2003 all are derived from the Windows NT codebase.
Windows NT was absolutely designed from the ground up with a multi-user environment in mind. In fact, what you say about Windows is actually partially true of Linux, which has its roots in Unix. Unix had security grafted on to it, which is one reason why all security in Linux is in terms of security applied to files and folders.
Windows has the concept of Access Control Lists, which are a far more flexible and powerful way of securing resources. In addition, Windows lets you apply security to ANY resource in the system that is represented as an object by the Object Manager in the NT kernel. This means files, folders, registry keys, devices (printers, USB devices, etc.), etc. There are extensions available to Linux for this, but again, it’s grafted on… it was not designed from the ground up with this in mind.
What quantitative data are you using to support your argument that Linux is more secure than Windows? There have been more serious security problems for Red Hat over the past 2 years than for Windows 2003, yet Linux advocates still insist that it is more secure. The turn around time for patches for Windows is typically better than those for Linux as well, with a few glaring exceptions like some IE bugs which are still not fixed. (But that’s one reason why I don’t use IE.)
I’ve run an extremely high load web application on a Windows 2k3 server farm using IIS 6 and ASP.NET for over 2 years now, and we have had exactly 0 seconds of down time. Not ONE second. That’s 100% uptime if you’re keeping track. We apply patches on a monthly schedule if necessary (which it typically isn’t), and downtime is isolated to individual servers instead of the service thanks to load balancing and clustering. We’ve NEVER had a single machine crash, and they had huge amounts of load. (60 million hits a day is typical.)
Linux has its place. I’ve used it, along with J2EE/JBoss, for projects that required $0 upfront software costs. I used to run it at home when I was in my “OS rebel” stage, but I out grew it. I realized I wanted my computer to just work. I didn’t want to have to recompile my database server because my glibc was incompatible. I didn’t want to have to struggle to get drivers for my printer to work. I just wanted to get my work done… and Windows works like a charm for that, and many, many other things.
RMD, you are the one drinking Microsoft’s Kool aid.
Unix has always had far superior isolation of privilege. The inherent design of the APIs provided by Windows 2000, XP ( and still included in VISTA ) are far easier abused to gain an escalation of privilege. Also many more subsystems on Microsoft platforms require LocalSystem level access, equvalant to root access on Unix. This includes the Microsoft SQL server used in your “.NET” server farm. which still runs with LocalSystem access.
To quote Mark Russinovish
http://www.sysinternals.com/blog/2005/12/circumventing-group-policy-as-limited.html
“It’s also important to note that the ability of limited users to override these settings is not due to a bug in Windows, but rather enabled by design decisions made by the Microsoft Group Policy team.”
Microsoft’s new platforms still inherits so many such “design decisions”. Similar potentially exploitable vulnerabilities found on any Unix/BSD/Linux software have always been considered to be a security threat, to be promptly patched ASAP. Microsoft has almost always reluctantly closed similar holes only when the vulnerability is at threat of or is being actively exploited by malware.
Microsoft has attempted to close some of the more widely abused vulnerabilities with XP SP2, Win2003 and the design of Vista, but Microsoft is still years away from achieving the level of separation available with current Linux distributions that use targeted SElinux policies.
A serous comparison of Microsoft Platform Security with Linux by Nicholas Petreley
http://www.theregister.co.uk/security/security_report_windows_vs_linux/
A history of quantitative studies can be found at David A. Wheeler site
http://www.dwheeler.com/oss_fs_why.html#security