July 1999 Column

July 1999 Column

[ Site Index] [ Linux Index] [ Feedback ]


Virus mania

It made the news: you probably couldn't miss hearing about the Melissa virus unless you were hiding under a rock. Various members of the great and the good of the IT community panicked, predicting the end of the net; some large financial institutions shut down their internet email gateway in hopes of keeping it out, and doubtless Doctor Solomon is chortling all the way to the bank. Me, I'm just chortling -- and a bit more quietly, because I don't have shares in the virus scanning industry.

Y'see, one of the less-well-known features of Linux is that it's pretty much immune to viruses. And as I run Linux, rather than That Other Operating System, so am I.

A bit more detail is needed to substantiate such a sweeping generalization, of course. Linux is not entirely immune to viruses. For example, A DOS boot-sector virus that infests a dual-boot Linux/Windows machine can lie dormant while Linux is running, but whenever the machine reboots it may be activated -- and if it reboots on a flag day the virus may trash the system. (This system, as I write, was last rebooted 25 days ago, so unless you're in the habit of turning your linux system off whenever it isn't in use you're pretty much immune.)

But there are some categories of virus that Linux is completely -- or nearly completely -- immune to. Many DOS or Macintosh Viruses rely on appending copies of themselves to other (uninfected) executable files. Linux viruses that do just that have been written, but they've never been observed in the wild. One reason for this is the Linux file access control system; you can't write to a file that you don't have write permission for. This was Linux inherited from UNIX, which started life as a minicomputer and mainframe operating system: each machine could be used by many people at the same time. Almost all of the programs on the system are therefore owned by the superuser, "root" (or a user ID like "news" or "mail"), specifically to stop Elvis T. Punter from tampering with something that is rightfully the province of the mainframe's system administrator.

Anyway, if follows that unless a virus has the great good luck to get onto the system and be executed by a user with root privileges, it can't append itself to most of the programs on the system. If it can't append itself to programs, it can't spread. And sensible system administrators don't just randomly run binaries they downloaded off the net or a CDROM without taking precautions. Traditionally, sysadmins built most of the software installed on their machine by hand, compiling and bugfixing it if necessary; that's the UNIX way, and while it's not something you can reasonably expect of Joe Q. Marketing Director, it's a damned good way of making sure the system is locked down tight. In these days of home Linux and UNIX systems it's not something you can count on -- but if you're able to follow the instructions in a READ.ME file and compile the source yourself, you're pretty much immune to any nasty little infections that might lurk in pre-compiled binaries. If you can't, well, try to spend as little time logged on as "root" (rather than under your own, non-privileged, username) as possible.

A secondary mechanism used by some Mac and Windows viruses is that they try to infect running programs in memory, piggy-back onto them, and copy themselves to other running programs. The UNIX virtual memory system blocks this quite neatly; it ensures that each running process has its own distinct memory space and can neither see (nor scribble over) any other program's memory (one reason why Linux is so much more stable than MacOS or Windows). So bang goes another reproductive strategy used by viruses.

And now for the third -- and probably the most important -- reason why Linux is not easy prey for viruses like Melissa: it's a true multi-user system that defines variable levels of trust and is built from the bottom-up with security in mind, and it (hah!) draws a clear line between applications and the operating system.

Microsoft are pretty famous for claiming that a web browser is an integral part of their operating system -- that, after all, is what the current anti-trust trial is supposedly all about. As far as I am concerned, speaking as a Microsoft hater, I am absolutely delighted that Microsoft think the web browser is part of their OS kernel! (Well, I'm not delighted for their poor users -- but that's another matter.)


Microsoft's Windows started off as a graphical shell on top of MS-DOS, itself a clone of CP/M. CP/M was an unpretentious single user operating system with no security to speak of -- when only one person can use a computer at a time, and only one program runs at a time, security is a bit of a spurious concern (best addressed by locking the floppy disks in a safe at night). Twenty years later, though, things were different. Microsoft had slowly edged down the slippery slope -- networking, multi-tasking, GUIs, virtual memory -- towards a situation where the user would not always be in control (or aware!) of all the processes going on on their machine. And nowhere prior to Windows NT did anyone sit down and say, "hey, we have de facto built a multi-user system! Why don't we think about implementing a security policy?"

On the contrary: Microsoft ignored multi-user context and security issues completely. In effect, all users and programs have root privileges. (NT goes some way to redress the issue -- which is one reason viruses are rarer on Windows NT.) Meanwhile, they built all sorts of automation features into their applications. Automation -- in the form of Visual Basic interpreters with access to inter-process communication (via OLE/ActiveX) -- is a wonderful tool. Automation without a security policy is, however, a virus-writer's dream. One of the much-trumpeted design characteristics of Java was that the Java virtual machine provided a kind of security sandbox for Java programs to run in, which had walls high enough to keep them from kicking sand in the operator's face (to stretch a metaphor). Bog-standard ActiveX and VBA on Windows 98 has no such protection mechanism. Which is why a Word document, delivered via email and opened by clicking on an attachment's icon, was allowed to rifle through a private address book (maintained by a different application) and send email to other people without the user even being aware of it.

There are many applications on Linux that have built-in automation languages (although the only one I can think of which uses Basic is StarOffice, which explicitly sets out to be a clone of Office 97). Indeed, I'm writing this article using vim, a powerful text editor which contains no less than three scripting interpreters (Tcl, Perl, and Python, all with access to the guts of the program!). However, unless you deliberately set out to compromise your system's security policy and modify some start-up command files, there is no way that merely opening a file in vim will trigger the execution of scripting commands hidden invisibly inside it. And this pattern is repeated across almost all Linux subsystems: unless you explicitly sack the police force, they'll keep your town patrolled.

This isn't to say that Linux is invulnerable to the guys in the black hats. A particular point of vulnerability is the internet; not from random viruses, but from bad guys who want to get access to your machine's resources or network connection from outside.

I own a PC that sits on a rack in an ISP, connected to the web and basically doing web server and mail server things all day long. (You can find it at antipope.org.) Because it's on the net 168 hours a week, it's vulnerable to attack by hackers. Because it's providing network services like mail and news, hackers can find out open ports (using tools called port scanners) and attempt to feed bogus data to the servers in the hope of crashing them and making them execute arbitrary commands. On one occasion over the past three years someone succeeded: since then I've been a bit more careful about blocking unused services and tracking changes in system files. (Tripwire is an indispensible tool for monitoring these files; see here for details.).

Most of the loopholes exploited by the script kiddies get blocked fairly rapidly, but if you run an old or out-of-date system you may be vulnerable. Whatever, it's a good idea to subscribe to the Bugtraq mailing list and update your software accordingly; if you run Red Hat Linux, you should also be checking their errata page. (And if you find the whole security field a bit bewildering, you really need a good book. I can highly recommend "Practical UNIX and Internet Security" by Simson Garfinkel and Gene Spafford, pub. O'Reilly and Associates, ISBN 1-56592-148-8; it's a big tome, but it starts from the basics, explains how the security features of UNIX (and therefore Linux) work, and by the time you get to the end you should have a broad grasp of the issues involved in running a network-connected UNIX box.

One important law of security: "security through obscurity" doesn't work. That is, if you make some sort of software product and find it has a security hole, trying to preserve security by stifling discussion of it simply won't work -- sooner or later some curious cracker will figure out it exists, and when that happens all the crackers will soon know but your users will still be in the dark. The best antidote to security holes is a security fix. Open Source software is in general very good about this sort of thing; security holes are yelled about and patches distributed within hours or days of their discovery. So you may get the impression that Linux has lots more security problems than, say, Windows, because you hear more about them: but in reality, what is happening is the security problems are being fixed. In contrast, when a bug in the Windows 95 TCP/IP stack emerged that allowed anyone with a simple program to send the machine a "ping of death" that would crash it, it took Microsoft weeks to issue a patch and even now many users are unaware that their systems are vulnerable. (And after all, why would Microsoft want to cause unneccessary alarm among their users? It might never happen. Snort.)

Even if you only run a dialup connection, you may be vulnerable to attack by outsiders. The worst culprits are spammers -- a particularly unpleasant species of low-life who will exploit your (unsecured) mail or news server to send junk advertisements to other people. This is a real nuisance if it happens to you; it clogs up your network connection (possibly causing you to stay online much longer than you wanted to), it makes people blame you and complain to your ISP (who may cancel your account), and it wastes time and money. In fact, it's freeloading at your expense. The important points to note here are that a dialup system (a) should not accept news postings from any other machines, and (b) should not relay e-mail from one foreign domain to another. (It should originate or receive mail, but not act as a post office: that's your ISP's job.) Lamentably, some Linux systems come pre-configured to do one or both of these things; it's less common these days (due to the prevalence of spammers), but it still happens.

To stop spammers posting news, you may want to investigate TCP wrappers -- aka tcpd -- a tool for restricting who can access your network servers; see the documents in /usr/doc/tcp_wrappers-X.Y (where X.Y is a version number). Mail is more of a headache, insofar as it depends what mail transport system you're using; Sendmail users (which in practice means most of you) should look to Sendmail inc's web site. The truly paranoid (and technically advanced) may also want to invest in a copy of "Firewalls and Internet Security" by Cheswick and Belovin (pub. Addison-Wesley, ISBN 0-201-63357-4). These guys built AT&T's firewall. They know firewalls inside-out. They also know networking inside-out. They're paranoid. I've read their book; now I'm paranoid too. But at least I know the crackers are out to get me.

Some particularly skilled crackers write automatic tools that attempt to propagate themselves from one machine to another. Mostly these tools (called worms) rely on exploiting one or two common security loopholes; and mostly they don't work. The big exception was the Great Internet Worm of 1988. Written by Robert T. Morris (son of Robert Morris, the US National Security Agency's chief computer scientist -- oops!), the worm attacked some known 'back doors' on DEC's VMS operating system and on Sun's then-current version of SunOS (a UNIX system). Due to a bug in the worm, it propagated uncontrollably, reinfecting already-infected computers until they ground to a standstill; at its height it affected 60% of the internet (which then hosted a mere 50,000 or so machines). No Linux-specific worm has been confirmed in the wild, but as Linux continues to spread you can bet that some idiot will try and write one -- which is part of the reason it pays to stay current on security issues. (Incidentally, the back doors that RTM's worm exploited were slammed very hard indeed, immediately afterwards!)

Anyway. In summary: Linux doesn't get viruses; some genius out there may figure out how to infect it successfully, but I'm not holding my breath. Linux is, however, vulnerable to different kinds of attack: these are most critical if you run a server that's connected to the internet all the time, but can still affect dial-up users (and a particular problem is spammers grabbing mail and news access). The solution is to know how Linux system security works, and attempt to keep abreast of current developments and security alerts.

There is, however, one Linux-related virus that has been rumoured (as of April 1st) to be going round the net. It's called Tuxissa. It's like the Melissa virus, except after it emails itself to everyone in the victim's Outlook address book, it downloads a copy of Linux and installs it on their hard disk. The next time the machine reboots, the Windows logo is replaced by a penguin followed shortly thereafter by a login prompt ...

FUD wars

This is a Linux column. It is not a Windows column; you've got the rest of the magazine for that. Nor is it an anti-Windows column: while Microsoft products aren't generally my cup of tea, I recognize that there are good and valid reasons why you might want to use them. Relaxed tolerance is the name of the game; anyway, yelling about the evils of the enemy camp is no way to gain converts to the One True Cause.

But someone really ought to tell Bill Gates that, before he shoots himself in the foot. Microsoft first noticed Linux last year; now they've gone into full-speed overdrive, shrilly spreading FUD -- Fear, Uncertainty, and Despair -- about Linux. I very much fear that if they keep it up at this level they're going to end up damaging their own credibility, possibly fatally.

For starters, Microsoft execs have begun making knocking comments in speeches. Bill Gates, in particular, seems to think that free software is doomed; speaking in Houston he said that the market for free software consists of a few simple programs, and things like web browsers and operating systems are too complex to be developed for free. One wonders just why Bill feels the need to make statements like this; it isn't constructive, it doesn't give his audience any convincing arguments for staying away from free software, and it's offering hostages to fortune (in the event that he turns out to be wrong).

Meanwhile, a chorus of executives piped up in the background: Ed Muth (group manager for Windows 2000), for example, claimed that Linux offers little value sunce it has few off the shelf applications (such as, one would suppose, Excel and Word), and -- bizarrely -- lacks integration between the operating system and its applications. (I figure this is a strength, not a weakness; I don't want a buggy application to be able to corrupt my operating system.)

But the sight of executives burying their heads in the sand before an incoming tide is nothing new: neither are ill-considered statements. Knocking comments about the opposition are simply the stock in trade of the marketing brigade, when they can't think of anything useful with which to promote their own bandwagon.

There are more bizarre attacks, though. The web site http://linux.de/, for example, received a letter from Microsoft's lawyers accusing them of trademark violation and demanding that they remove a slogan from their web site: the KDE organisation's cheeky catch-phrase, "Where do you want to go tomorrow"? This is not a Microsoft trade mark as such, and as parody is entirely legal: and there's no sign of Microsoft threatening Billy Graham, who uses the precise same slogan for some of his revivalist missions. It's also in use on more than four hundred web sites at last count. And, as MacDonald's learned last year in the high court, pointing the legal big guns at small fry is guaranteed to put them in a lose-lose situation; they can't hope to win any damages in court, and they can gain a very unpleasant reputation for bullying.

And there's more.

Recently, Microsoft commissioned a company called Mindcraft to do a comparative benchmark study of Linux and Windows NT, running as file and web servers on high-end hardware. You can find the survey results at mindcraft; suffice to say, Mindcraft found that NT was 2.5 times faster than Linux as a file server, and 3.7 times faster as a web server. Except that, er, it isn't. While they used identical hardware for the tests, they spent weeks tuning the NT system for maximum throughput; but it appears from their report that they spent approximately five minutes on the Linux installation, and may well have modified its configuration in ways detrimental to its performance.

There are too many things wrong with this study to list here; you can get the full dirty story at http://lwn.net/1999/features/MindCraft1.0.phtml. Just to cover the high points: Mindcraft used a Linux kernel release known to have problems talking to Windows clients. It was badly tuned for the type of test they were performing, they re-compiled the file server software into a de-optimized binary, they used configuration files that seemed to be designed to slow Samba up, and they used a very badly configured Apache web server. As an encore, they didn't publish quite enough details of their test platform to let anybody duplicate it. In short, it looks like a propaganda exercise -- and indeed, Mindcraft have been hired in the past by Microsoft to do comparisons between NT and NetWare and NT and Solaris. (Do I need to tell you which system came out on top each time?)

Of course, Microsoft would never countenance a deliberately rigged study. Nor would they dream of asking for a survey which would provide bogus but realistic-looking facts to back up their executives' public pronouncements. And of course, it couldn't possibly be true that during the recent anti-trust lawsuit the government entered in evidence an e-mail written by Bill Gates himself, saying "it would help me immensely to have a survey showing that 90 percent of developers believe that putting the browser into the OS makes sense." That couldn't possibly happen. Could it?

The Mindcraft survey went too far. It's common knowledge that a properly-configured Linux system is generally faster than NT as a file or web server. Maybe if Mindcraft had claimed that with proper tuning NT could equal the throughput of Linux, people wouldn't have looked so hard at the study: but claiming a 300% performance edge convinced even the more credulous sectors of the media to look twice at what was being claimed. I expect Mindcraft have some serious back-pedalling to do before anyone takes them seriously again: more to the point, the whole fiasco is going to come back to haunt Microsoft. You see, there are strong rumours circulating at present about an engineering group -- roughly forty in number -- that's currently porting Microsoft Office 2000 to Linux. Some time in the next twelve months -- maybe sooner -- Microsoft is going to have to turn round and say, "see! We've been supporting Linux all along! It's one of our strategic platforms! Won't you buy our Linux software?"

I'll say it again: I am not knocking Microsoft. (If nothing else, they're certainly the world's best marketing company.) But they don't seem to realise that the rules of the game have changed: black propaganda, bent surveys, and knocking reviews simply don't work against a competitor which is free, and hence readily available to anyone who wants to form their own opinion. All it does is make them look rude, manipulative, and arrogant. And one of the first laws of salesmanship is, never give a potential customer a reason to dislike you.