2008-09-14 13:48:53

Linus' Misconception of the Security Industry

Ever since the (in-)famous Monkey Story, a new anti-security attitude appears to spread among people. Some of the Linus-loyalists started promoting a new attitude of not adhering to the principles of regular security updates and releasing advisories. At the same time, the security industry is worried to see these attitudes fueled by the leader of one of the biggest Open Source communities.

The general perception of security

We had been facing the attitude of security repudiation before from IT consumers, especially in the Windows world there is an attitude of security ignorance. Security patches are not applied regularly because they are perceived as an annoyance rather than a gain.

The biggest enemy of the security consultant is the perception of ”Who would want to attack me anyway? I am not interesting.“ This may have been a valid question in the very early days of computer science, when attacks were conducted by attackers seeking information or kids seeking internet access through wardialing into the mainframes of the planet.

But the type of ”end users“ of security problems has changed significantly. Nowadays, the biggest use case of exploits are spambots, automatted attacking bots which break into any computer in its way in order to use it for spamming other people or conducting denial of service attacks for paid customers. To these bots, the average user with his innocent PC behind a small line becomes as much of a high class target as the rest of the world.

The same applies to server security. The good news is that a lot of the time, attackers no longer search for credit card information (which is nowadays usually no longer received directly by the web shop where people buy their goods but on a server from a trusted credit card service provider who has a real security response team – well, at least some of the time). The bad news is that people who react slowly are going to lose their ability to send mail by ending up on a blacklist.

And so people also don't care that distributions like Ubuntu have (besides other problems) a 3 month lag in terms of security updates, while other comfortable end user distributions like Fedora usually release their patches a couple of hours after the incident.

Where Linus comes in

The unfortunate step in Linus' new-found tendency to security populism is that in this atmosphere of negligence, he fueled the argument that ”security is not important“. Possibly this is not really what he meant. As it has been proven most impressively by Linus' book ”Just for Fun“, we are nowadays facing a large crowd of people who believe every word Linus says and who will just repeat his opinion rather than building their own one. To these people, when Linus says ”security is not important“, security will no longer be of any importance.

Also, Linus has managed to harm the attitude of open disclosure of the various vendors significantly. Since not a lot of vendors really understand the way in which security incidents are handled – which is mostly done by the first distributor who gets involved – Linus' argumentation of giving the script kiddies a headstart appears plausible to them. Thus, security problems are not necessarily disclosed publically anymore.

However, this principle does not necessarily work, especially for the Linux kernel. Due to the development model of the Linux kernel, most of the latest releases of the kernel are behaving very unstable and break features such as suspend to RAM or virtual machines rather frequently. Due to the outlined policy of imposing the burden of fixing these problems on the distributor, that is not really a problem, since the distributors will usually choose older kernel releases and backport fixes and other required features such as new drivers to that version as necessary.

This means however that the vast majority of people is not running the latest Linux kernel release. Some depend on their distributor's release, and some run older releases which ”work for them“, not knowing that there are hidden security holes in that release. Why? Because Linus thinks that security is not important.

At the same time, spammers have an army of people fitting the description of a monkey more closely than the OpenBSD developers. This army harvests the source code and change logs of the Linux kernel for exploitable security problems for use in their spam bots. This is a manpower of cheap chinese and east europeans which most distributors and end users simply don't have. This means that Linus' proclaimed security policy gives script kiddies and spammers a headstart over the end user.

What Linus did not understand

The most convincing of Linus' arguments remains however to the end user, which is, how does one ensure that end users will receive a patch before the spammers had a chance to modify their bots? It appears to an outsider that this problem remains unresolved. This is however not the case. And this is where the masturbating monkey industry security industry comes in.

Just like the software itself, a security advisory also has a release cycle. For the reasons outlined before, this cycle does not even necessarily involve the vendor. The usual procedure is as follows:

Someone discovers a vulnerability and reports it to the vendor. Then, the vendor or that someone contacts a CVE member, e.g. a distributor such as Debian, Redhat, or whomever. Alternatively, the distributor sees the patch for the security problem and picks it up.

Then, the distributor creates a ticket at CVE. Now, all CERTs and distributors of the world are aware of the problem. A patch is developed and the CVE members set a deadline until when all distributions must have the fix. CVE members fix the vulnerability and report their progress through a language called OVAL.

Once every vendor has released a fix, the advisory is made public. Now, the CVE switches state from ”draft“ to ”public“ and becomes readable on the CVE web site. (Before this point, the identifier shows up as assigned but people visiting the site cannot read it.) Distributors release their advisories, and advisoriy outlets such as Secunia pick them up. Only now do spammers have access to the advisory, while end users already have picked up the fix.

So the problem Linus sees with the ”obsessive security industry“ is already solved, all that needs to be done is to report security problems to at least one of the distributors. Starting from this point, Linus could go on taking care of the development cycle.

Posted by Tonnerre Lombard | Permanent link | File under: security