Schneier on Security
A blog covering security and security technology.
« A Solar Plasma Movie-Plot Threat |
| Gorilla Detector »
March 27, 2009
Security Fears Drive Iran to Linux
According to The Age in Australia:
"We would have to pay a lot of money," said Sephery-Rad, noting that most of the government's estimated one million PCs and the country's total of six to eight million computers were being run almost exclusively on the Windows platform.
"Secondly, Microsoft software has a lot of backdoors and security weaknesses that are always being patched, so it is not secure. We are also under US sanctions. All this makes us think we need an alternative operating system."
"Microsoft is a national security concern. Security in an operating system is an important issue, and when it is on a computer in the government it is of even greater importance," said the official.
Posted on March 27, 2009 at 5:52 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
When I got to "But if there is one weak point with Linux, it is user-friendliness when used on the desktop.", it made me look at the date of the article: 2004.
I wonder if now, almost 5 years later, anything has come of these plans.
I never really understood this. When Ahmadinejad announced he had started a blog I had a look and it was obviously running on a Windows server (about two years ago I should think). And I thought - isn't Iran on the list of countries to which you are not allowed to export US made products? SO I assumed it was them thumbing their noses at the Americans by using pirated copies or something. Still, if it allowed the CIA backdoor access to the Iranian government maybe they thought it was worth breaking the embargo for!
"isn't Iran on the list of countries to which you are not allowed to export US made products?"
Yes, but one of the reasons for Iran's aggressively anti-US stance is that US policy has exempted MS products from the ban in a targeted attack on Iranian productivity and security.
I was in Iran a few years ago & had an interesting visit to a computer store. All the software was pirated, and everything was priced at the equivalent of US$7 per CD-ROM.
This is just more evidence that the government of Iran is run by paranoid crackpots.
They do have a general point that they can't be confident in their own Windows systems, but not because of their inherent security. As others have pointed out, they can't be legitimate customers, they can only pirate systems, so they can't get legitimate support.
But this crap about all the patching is nonsense. A complex Linux system has many more security patches month-to-month than a Windows system. And Linux systems are cracked through vulnerabilities, mostly in applications like PHP, all the time.
Larry Seltzer, that's not the Linux system that's being cracked, or PHP, but the PHP application.
I can write a php script in a few minutes that will allow you to download my whole hard drive with the help of Apache. That doesn't mean my Linux is insecure.
Linux can't be expected to inspect and magically fix any faulty third-party software that runs on it.
Microsoft, on the other hand, fills its own products with insecurities.
"Linux can't be expected to inspect and magically fix any faulty third-party software that runs on it."
Yes, because if they did they'd have to start calling it OpenBsd. :)
Careful, Boogaboo & Larry...you're dancing on the edge of a holy war.
Let's just agree that the only truly "safe" place is the grave and move along, neh?
At the risk of descending into a "holy war", could you elaborate, or preferably point to a good explanation of your position? My familiarity with OpenBSD is weak.
This might help you in understanding what spider is talking about: http://www.openbsd.org/faq/faq1.html#WhatIs.
The OpenBSD folks emphasize security above all other considerations, which is not true of any other Unix-like operating system I can think of.
However, Spider is missing something: they don't guarantee that third party software will be secure. When the OpenBSD folks brag about "Only two remote holes in the default install, in more than 10 years!" they are only talking about the default install. Anything incorporated into that default will be checked to exacting detail, but non-default applications are not subjected to the same scrutiny.
Whoops, left out a reference.
The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.
It would be interesting to see some up-to-date status. (The linked article is from 2004.)
I was in New York about 3 months ago and saw the same thing. Everything was pirated from software to DVD's. I was amazed a street shop could get away with that.
Im not sure what the relevance here is but software piracy is a worldwide issue.
USA blackmarket goods are big in Iran. See excellent article, Conde Nast Portfolio, Axis of commerce. Google, brings it up.
> Larry Seltzer, that's not the Linux system that's being cracked,
> or PHP, but the PHP application.
This depends on how rigorously you want to define the endpoints for your "system". What is the system you're talking about? The kernel? If you're only talking about the kernel itself, the security vulnerability history for the linux, BSD, and Windows kernels isn't all that different - kernel vulnerabilities are pretty rare. The file system? Is ext3 part of the "linux system"? OpenSSH? It comes packaged with most linux distributions, is that part of the "system"? What about the web browser? "That's application space" you might say, but it does *come* with most major linux distributions out of the box, and it's in the BSD ports collection.
Most of the "OpenBSD is the most secure system in the world!" people fail to note that the only major difference between OpenBSD and most Linux distributions in the "out of the box" SSH configuration is that OpenBSD has forwardX11trusted set to "no", and most Linux distributions have it set to "yes". Well, if you're not counting userspace applications, these are functionally equivalent. It takes a user to actually invoke X-forwarding over SSH for there to actually be a difference in the threat.
So... do we count the "user" as part of the "system"? If we don't, then IE's horrible vulnerability history is irrelevant to discussion "Windows system" security, since the OS doesn't invoke the user app itself, right?
To me, the system begins at the meatspace entity sitting at the keyboard. If your operating system design has a bunch of safety interlocks that you have enabled by default, but you know your userspace includes people who are going to disable those interlocks, your OS isn't any more secure in a practical than any OS that ships with those same interlocks already disabled; in production, the boxes will be used the same way and are subject to the same attack vectors. Similarly, if your OS design has a bunch of safety interlocks that are turned off by default and you expect the *user* to turn them on before engaging in risky behavior, your claims of OS security are bunk.
There aren't any secure systems without a secure operator. There aren't very many secure operators.
Pat: "most Linux distributions in the "out of the box" SSH configuration is that OpenBSD has forwardX11trusted set to "no", and most Linux distributions have it set to "yes"."
That hasn't been true for a few years -- it's actually a pretty big PITA since, for most usages, that's not a real security issue -- how many boxes are there were you really need to protect the X11 system from an ssh attack on the clipboard?
"people fail to note that the only major difference between OpenBSD and most Linux distributions in the 'out of the box' SSH configuration is that OpenBSD has forwardX11trusted set to 'no', and most Linux distributions have it set to 'yes'".
Yea, not to mention the entire kernel, the filesystem, the startup logic, .so layouts, binary types, the license, the governance of new development, et al etc etc.
A pox on the 'who is better' argument, but don't imply that BSD flavors are 'just another pre-configured linux distro', because they aren't, and they never has been, ever.
Iran is not a signatory to some international copyright conventions.
"A complex Linux system has many more security patches month-to-month than a Windows system"
Would it be better if they saved them up each month and released them in one big patch? I mean, this isn't telling me much. The number of patches is a very bad metric; for one thing it says nothing about the severity of the problems being fixed.
For example you can take a look this old article (from around the same time as the one at the top), http://www.theregister.co.uk/2004/10/22/...
@Anonymous OpenBSD User -
I think that this
is more what I was looking for; I've used BSD before - I was just wondering about its security claims. It seems that they center on security auditing.
Of course, it probably would have helped if I indicated that my lack of knowledge about OpenBSD meant that I'd never changed the kernel (unlike perhaps a dozen other operating systems), instead of likely implying that I'd barely heard of it.
@A nonny Bunny: this aspect the of the OS security debate has been covered exhaustively. The bottom line is that most attacks are at the application level, not the OS level; and last I checked, Apache and PHP ran as well on Windows as they do on Linux, so no one can credibly throw those in with "Linux" vulnerabilities just because that is the most commonly used environment for that code.
@Pat Cahalan: the OpenBSD version of OpenSSH is not the same as the portable OpenSSH that runs everywhere else. It is a smaller code base and thus has a smaller attack surface. This is true of many of the OpenBSD network utilities. Configuration is most certainly not the only difference.
On servers, I don't see compelling evidence that security at the OS level is a big practical differentiator anymore.
Another happy OpenBSD user here, many years.
Pat Cahalan on 27th, 12:03pm hit it on the head with secure systems and operators.
OpenBSD is still wide open to top level hackers. History of Unix, those who can write top code, can break top code.
I think it all comes down to who you can trust and pay off.
OpenBSD has some subtle differences compared to linux, and everything adds up until things break. Levels in security is a farce.
> It is a smaller code base and thus has a smaller attack surface.
From a practical standpoint, this is nearly a non-issue. You're much more likely to have a compromise because you're running an sshd and someone's account credentials are compromised than a zero-day exploit in OpenSSH.
> That hasn't been true for a few years
It's not? It was the case on Mandriva 2007 (I didn't run 2008, so I can't claim otherwise), OpenSUSE 10.2, it's currently the case in RHEL 5. I don't run an sshd on my Ubuntu laptop, but I'll check the default config out just to see if you're right.
> it's actually a pretty big PITA since, for most usages,
> that's not a real security issue
Sure. That's sort of my point; in most cases, it's effectively a completely cosmetic difference.
> but don't imply that BSD flavors are 'just another pre-configured
> linux distro', because they aren't, and they never has been, ever.
You're right, I did phrase that paragraph (very) badly, and it did come off that way. There are certainly differences between the two, my wording was really bad in that sentence :)
I don't think practical, deployed, in-the-enterprise security profile is one of the differences, for the simple reason that when it *does* come to practical security, what you generally see in deployed scenarios is that the Open/Free/NetBSD machines are configured in a way that they act for all intents and purposes just like the Linux boxes. While you can argue that the software may be some small delta more secure than the version that's running on the Linux box, the practical reality is that the security vulnerabilities that lead to cluster compromise are usually human- or process-related, and these are orders of magnitude more common than cluster compromises that originate entirely from service level compromises.
Not to mention the fact that if you don't have good security processes, you don't *catch* the intrusion until the damage is wayyy out of control. I'd rather see a cluster of Windows machines run by a reasonably competent systems administrator than a cluster of OpenBSD machines run by a someone who doesn't know what they're doing :)
But I think everybody agrees on the "pox on which is better" comment, so.
Although Ubuntu and other Linux systems are secure, OpenBSD clearly has a more trustworthy security model with several mature mitigation techmologies.
It is common for vulnerabilities in well known software to be not exploitable on OpenBSD. To proclaim that the OpenBSD system to be "wide open" is ot proclaim ignorance.
It looks like "Sepah Pasdaran" (The revolutionary corps/Guardians/Whatever...) or an IT department in iran needs more budget, and is using "fear" to get it.
I remember they did a Sharif Linux (http://www.farsiweb.ir/wiki/Sharif_Linux as http://shariflinux.com/ is down now) some times ago. It was just a translated version of redhat, created with governmental funding, which also cost $20 for the end user! It was (and still is) too expensive, as Windows XP is sold for $1 per disc, and Vista (cracked and UPDATEABLE!) for $5!
Irespective of the "Iranian Position" political or otherwise, there are good reasons to use different OS's.
History tells us that mono cultures although initialy successfull usually tend to fail badly once a weakness is found.
If you leave out "ego food" the main reason to break into a computer systems is the same as it is with physical safes.
That is to get at what it holds. In either case if a person believes that the safe/computer hold something of value and the risk/cost of obtaining it is sufficiently low by comparison to the value then they will find a way in.
Safe crackers used to have favourd safes to illicitly open and the normal rules of an open market ensured that a mono culture did not develop in "safe supply".
Operating systems have had well over thirty years to become relativly stable and fairly secure against such illicit attempts (the everyday "organ sacks" being the main attack vector of choice to get inside the OS).
Commercial applications on the other hand only have relativly short lives before they are either significantly augmented or replaced by compeating products.
In the "rush to market" security is fairly low on the marketing departments "requirments list" when compared to "looks and feel".
Further applications used to be run only by those employed by the organisation and thus where normaly assumed to be trustworthy. There for application security was not considered much of an issue by most (which might account for the previous ratio of "insider" to "external" attacks).
And as with the doors of a building where generaly the internal doors are of little security value when compared to the front door, applications are seen as internal not external like the OS.
However in the "Brave new World" of the web the security gates of the OS are thrown open to anybody and everybody who choses to walk through at any time. And the items of value are hidden behind closed internal doors that may not even be locked...
The solution needed is much like banks and their vestabule ATM's. Put a safe around the items of value and implement a level of control and authentication that fits your risk model.
It won't stop your customers getting mugged or robbed, but the smart ones realise visably having valubles in a bad neighbourhood is not a wise thing to do, and take further precautions at their homes etc.
I guess the "virtual world" has to play catch up with the real world, especialy when it comes to "street wising" the average "organ sack".
Unfortunatly there is a fly in the ointment and that is "data formats" most comercial applications have proprietry or closed data storage formats. This prevents organisations from freely changing aplication suppliers.
It is as silly as saying "Oh our filing cabinate can only uses our special paper and file hangers".
A push to be rid of propriatry or closed data storage standards would in a relativly short time (in human terms) encorage diversification in applications and OS's. Which in turn would alow migration of data transparently to the user which would help put an end to the mono culture issues we currently have.
How come is it that no matter the topic in no matter the context; when ever Linran is brought up it provokes a religious war?
Opps I meant Iriux...oh what a give away! I meant Iran.
I have hacked bsd boxes, linux boxes, and windows boxes, the easiest to hack is windows.
You would think since windows is easy to operate it would be easy to secure, but it isn't, top IT guys and security companies I have done auditing for think their windows is unhackable because they got the latest patches, antivirus, and firewall technologies.
The security products, patches and work they do to secure windows is a false sense of security.
If someone wants in any type of system bad enough they will find a way in.
A security conscious coder/hacker/sysadmin on a unix system will more than likely have their system more secure than a security conscious coder/hacker/windows sysadmin.
I tend to notice more windows security guys with closed minds, like closed source. Most I've personally met cant really think outside the box, those that do tend to switch os's completely from windows. Windows will never be close to secure until we can see the closed source and make a proper judgment. All I see is holes, for me the best security with windows would be to block all access to and from windows on my network.
Its a shame you could install a basic xp/vista/windows7 install and before you have the time to use windows update, i'll have the system hacked and backdoored where no antivirus or software to date could detect it.
Its much harder to do the same thing with an up to date linux/unix install, but not impossible.
Security is only temporary in this world.
I dont think windows will ever be secure. Microsoft could have secured there os's ages ago but they make too much money off of support, and would probably put thousands of security software companies out of business.
If *nix is so easy and simple to use then why haven't Red Hat et al gone out of business ?
The majority of these comments are anti Iran, I wonder how many of you are christians who believe everything on fox news. Iran has ICBM capability, far reaching, if they were the threat NSA not CIA for the one commenter stated, then they would have used it by now. They know america is more than willing to backdoor an os even on their own citizens. What about hardware backdoors? You think software backdoors are being paranoid you are years behind. Computers are being produced in china and other countries where one logic gate placed in the right place very hard to spot is a backdoor bypassing any os installed. So maybe you should research before running your trap.
Backdoor logic gates panic and blow the fuses to disconnect themselves from the circuit at even the slightest glance from Bruce Schneier.
(Sorry, couldn't resist.)
"The majority of these comments are anti Iran"
What are you smoking, and where can I get some? Most comments don't even mention Iran. And only the one that said it's run by paranoid crackpots can be considered anti-Iran, as far as I can tell. One in 33 is not a majority, unless perhaps you're living in a dictatorship.
Hey All ! Please slow down!
I'm living in Iran and I know all the facts about both government and the people.
First of all, separate Country and nation of Iran from it's government. Iranians are Iranians and government of Iran is "Islamic republic", which was made through a revolution and is now being controlled and lead by some fools like ahmadinejad. You definitely know that for example Microsoft Windows Vista Ultimate is up to 400$ per license. If you were living in Iran, could you ever earn over 400$ / month to buy windows Vista, for example ?
Maybe you think income of oil and exports is being given to people, yeah ? Mehh, I don't know how you might think this way.
You know Iran's got 70 million of population and over 40 million are under the line of HARD poverty !!!
Low income of people is THE ONLY reason why people do not obey copyright. I mean if people could earn more, they definitely would obey it strictly!
BUT the main reason is the "Islamic republic" government. I.R of Iran DOESN'T obey copyright to not put people under pressure anymore, so to prevent any kind of revolt against their power, that's what you really need to know.
From the other side, they can never encourage people to use Linux OS, because it's really user-friendlyless, as I read in one of comments. And of course we, Iranians, love USA, and we love to have relation with United States. Teenager call Bill Gates, their "UNCLE"!
This is "Islamic republic regime" that is fighting for power. They do anything to keep the power for themselves. If they allow relations with US, make people earn more, and give them (us, people) freedom, then who do they have to introduce as enemy, except united states ? That's while you see that if there was any positive activity in history of Iran, it was just by United States!!! and United Kingdom and Russia have always destructed Iran, and Islamic Republic government has now disconnected the relations with U.S.A and has strengthened the relation with U.K and Russia!!!
That's how they're governing.
I think you really need to change your attitude about IRANIANS, and I.R "REGIME" of Iran, and consider their absolute separation!
Will be thankful to pay attention to this comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.