Security in Embedded Systems?
The following article points out some security problems with (non-embedded) Linux. Does anyone think Linux would also have security problems in the embedded environment? Could WIND use this as a competitive advantage?
Linux's Open-Door Policy Could Let Hackers Right In
By Kevin Max, TheStreet.com/NYTimes.com Staff Reporter
3/29/00 5:10 PM ET
thestreet.com
The Linux name has attracted its share of investor euphoria over the past year and, with it, cautious words from computer security experts.
The stunning market debuts of VA Linux (LNUX:Nasdaq), Red Hat (RHAT:Nasdaq) and Andover.Net (ANDN:Nasdaq) are examples of the excitement and instant fortunes being built around the Linux operating platform and so-called open source code.
Open source code is the freely viewed, distributed and modified code, or instructions, found in Linux software. Companies and individuals can download the code from the Internet, sometimes at no cost, and tailor it to serve their own interests. And developers voluntarily agree to make their changes to the code publicly available.
The flexibility and cost of Linux have led many to see it as a promising challenger to the dominant Windows operating system from Microsoft (MSFT:Nasdaq).
But the Linux principle of openness is what security experts fear most.
"When you have open source, there is the potential for greater problems," says MacDonnell Ulsch, a senior manager of technology risk devices at PricewaterhouseCoopers, the accounting and consulting firm. "For example, every time you make a change to the code, you report it. Over time, does that reveal more about your infrastructure than you want to reveal?"
Double-Edge Sword
In addition, businesses often bring in outside consultants to maintain the code. That presents another opportunity for a breach of security, Ulsch says.
"Before Internet banking and the World Wide Web, information was more secure. A dog, a guard and a gun and you were all set," he says. "If Linux security is ignored, this is a looming crisis."
Many top companies don't agree. Linux's open source code has been embraced by Intel (INTC:Nasdaq), Compaq (CPQ:NYSE), IBM (IBM:NYSE) and Dell (DELL:Nasdaq) as the cheaper, faster and more functional alternative to Windows. Linux may even be a lifeline for Corel (CORL:Nasdaq), a software products manufacturer whose depressed stock has climbed about 60% since it began selling a Linux-based operating system last November and promised to become a premier Linux software source.
But as the corporate world is rushing to adopt the cheaper alternative, security experts are bracing for the impact.
"This is a double-edged sword," says Scott Hissam, a member of Carnegie Mellon's Software Engineering Institute. "The bad guys have access to the same code as the creators. They can use that information to exploit the code and make it do what they want it to do."
A Continuing Dialogue
Linus Torvalds, a graduate student at the University of Helsinki in Finland who created Linux, deliberately exposed the terms of the programming language so that anyone could add to, or improve, the existing code. In effect, he created a continuing dialogue among Linux developers on the Internet. So instead of having a small group of in-house software developers responsible for the end product, Linux has a vast network of people contributing to its speedy evolution.
But Ed Roback, the acting chief of the computer security division at the National Security Institute, has reservations. "If you're in a large organization, you have people modifying the code because they can," he says. "So you could have local variations in the code. The modifications could be introducing vulnerabilities themselves. It's also conceivable that folks could insert malicious code." Malicious code can lead to a system halt, or internal libraries of information being replaced.
Typically, when weak points in the code are found, users have shared these on user groups and Web sites like linux.com and linux.org. But this exposure leads to a problem, with developers publicizing the "patch" and hackers having access to the blueprint of the fix.
Vulnerable to Hackers
"You have to assume that if there is a vulnerability posted on a site, there has to be an attack script," Roback says. An attack script is a program that enables outsiders to hack a program's code. "You could correct them, but then there are vulnerabilities to that."
The National Infrastructure Protection Center publishes CyberNotes, which itemizes compromises in computer software and hardware. Among those listed as high risk are holes in two servers made by SuSE Linux of Germany that allow a malicious user to gain unauthorized access to files. A loophole in a Linux server from Debian makes it possible for hackers to compromise files within that server. Patches for both problems are posted on the companies' Web sites.
Hackers, of course, don't draw their boundaries around Linux products. Microsoft's Windows NT server, for example, is susceptible to an attack in which the perpetrator can obtain and use lists of users' names for attacks on other systems. There was no patch for this problem as of Feb. 16, according to the NIPC.
Jury's Still Out
Phil Rueppel, an analyst at Deutsche Bank Alex. Brown, says problems within the Linux code can be found and quickly resolved. "There's no reason to believe that the source code can't be made as bulletproof as the legacy systems," he says.
Rueppel's firm helped finance the initial public offering of Red Hat, which develops and sells Linux operating systems. Rueppel rates it a buy.
Phil Baker, a technology risk services practices senior consultant at PricewaterhouseCoopers, has a divided opinion of Linux. He notes that one advantage Linux has over conventional operating software is that developers can strip out all of the extraneous parts and close a lot of the back doors that could otherwise be hacked.
But, "we don't know right now whether it will save money," he says. "You could say that the jury is still out on how secure Linux code is."
For now, many businesses are looking to cut costs first and ask security questions later. But Ulsch of Pricewaterhouse Coopers warns: "I'm not a believer that Linux is a cost-saver if you factor in all the security issues. If you go into this for cost savings, you're going in for the wrong reason." |
