.comment: Leveraging Linux
By: Dennis E. Powell
Wednesday, November 14, 2001 03:15:00 AM EST
URL: http://www.linuxplanet.com/linuxplanet/opinions/3903/1/
Due Diligence
There will probably be no .comment column the week after the first negligence suit is filed against a firm whose negligent action is the use of Microsoft software when they should have known better, with the result being a client's confidential documents having become public.
It is difficult to type when one is laughing oneself into a total thoracic muscle cramp. And I'm not sure I'll be able to get it out of my system in a week.
But seriously, folks . . .
I got to thinking about this when I learned that a law firm I know is about to embrace Outlook as its email client. One need to have paid only very little attention over the last couple of years to know that if one wishes to keep a secret, one does not want it ever to pass through Outlook or to reside on a machine where Outlook is ever used. (The firm gets its IT services from an outside outfit, which typically means someone for whom it was an MSCE or the Army, and the Army said no. There are exceptions, but in my experience there is not a dimmer string of bulbs on the planet than that made up of MSCE certificants.) It will be no particular surprise to hear that confidential client documents have hitched a ride out of the firm on some SirCam variant.
Wonder if the crackerjacks hired by the law firm know to turn off, and if they do, how to turn off, IIS. If not, there's another little surprise that could give a cracker hours of amusement. (Microsoft is going into the game box business; for many persons of malicious intent, Microsoft has been in the game box business all along.)
Now we get news that there is a vulnerability in Internet Explorer which allows unauthorized persons either locally or elsewhere to mine confidential data from cookies. I've long railed against cookies, claiming that they are a monstrous potential security hole, and now Microsoft has removed the word "potential" from that claim. Microsoft claimed under oath that Internet Explorer is so crucial to its operating system that its operating system won't work without it. This means that the vulnerability is as hard-coded as it gets. (Microsoft says that the fix is to turn off scripting. This renders useless sites designed specifically for IE. Serves 'em right.)
And that's all before we get into the really juicy stuff.
It got some note last year, but it's worth revisiting the study, Cyber Threats and Information Security, released last December by the highly regarded Center for Strategic and International Studies. The study's authors -- and there isn't a lightweight among them -- noted that Microsoft's computers containing source code, had been cracked, and said:
"There are several recent examples of how formerly industry-specific concerns have risen -- or have the potential to rise -- to the level of national security concerns. Perhaps the most recent example is the admission by Microsoft that hackers had broken into their systems and accessed next-generation Windows software that was not only unreleased, but not yet even announced. A profound concern to both private and public entities becomes whether or not any of these products will be trustworthy once they are released. It is doubtful that the millions (sometimes billions) of lines of code required to power Microsoft's products could readily be sanitized. "
Let's see. What would, a year ago, have been referred to as "next-generation Windows software"? Why, it's XP! What CSIS is saying, without coming right out and saying it, is that there could be all sorts of back doors inserted into the XP code without anyone beyond the cracker, least of all Microsoft, knowing about it. What they're also saying, and this time they do come right out and say it, is that Microsoft's software is therefore a national security risk.
Now, there is a concept in the law called "due diligence," and what it means, basically, is the ability to prove that one knows all that he or she (or it, in the case of a firm) can reasonably be expected to know. It is required in many securities transactions, corporate reports, and the like. It can be offered as an affirmative defense in negligence suits.
And I think I have demonstrated above that it would not be a very effective defense in a case in which the negligent act came in entrusting confidential data to unsecure Microsoft software. But I repeat myself; the phrase "unsecure Microsoft software" is redundant.
When that lawsuit comes, the effects will be widespread and instant. Engineers call it the "pucker factor," and without getting too descriptive let me describe it as the phenomenon in which, because of fear, the chair tends to remain attached to its occupant even after the occupant stands up. There will be a mad scramble to eliminate exposure to liability resulting from the use of Microsoft products. At which point there is likely to be considerable job turnover in the IT industry.
Time to get ready.
The Strategies
There are two ways -- two and one-half, actually -- to prepare for the inevitable day when "anything but Microsoft" is the anguished cry from the legal department. They depend on whether you're currently in a corporate IT department or not, and, if you are, how that department is run (friends in these positions tell me that the choices are "poorly" and "unbelievably poorly," though there are bound to be a few good ones around).
It's important to let the higher ups know, and let them know that you know, that Microsoft systems are vulnerable -- and that there is an alternative that is both cheap and effective. Yup, Linux. When reports of vulnerabilities surface, cc 'em to the powers that be. At the same time -- and here diplomacy is the order of the day -- point out the alternative that exists in the Linux world, and how for no or next-to-no money a way around the vulnerability can be had.
And keep copies of it all, every note, every response.
With luck, you'll be putting the wheels in motion for first a pilot project, perhaps a server or two, then a gradual migration to Linux, ultimately to the desktop. Linux is ready for it, but most IT departments aren't. Again, diplomacy is essential.
If your luck is not quite this good, never mind. Bide your time, keep that folder of printouts of all your messages and the responses safe at home, and wait. Don't jump rank, but be ready to step in when your boss is having his personal pucker factor cured via some sort of reaming device. Be ready to be the hero when a hero is needed.
Of course, this requires that you be current as to Linux, which your reading this suggests that you are or want to be.
What follows applies to everyone, currently employed in the IT world or not.
Choose a distribution and really learn it. Subscribe to its mailing list, its security mailing list, its announcement mailing list. Make friends there. You'll find a range of users from the single-machine hobbyist to the SOHO networker to people from some astoundingly big companies. You'll likely encounter people who actually participated in putting the distribution together (though they're seldom there as official company representatives, so if you want to confront the distributor about something, take it through other channels). There is a wealth of knowledge on the mailing lists that cannot be found anywhere else, and it's all free of cost.
Learn everything you can about configuring the interesting stuff and the boring stuff, too, because the boring stuff was written with someone in mind, and that someone is companies. Get to where you can put together a solid firewall as easily as you can put in a new motherboard. Read with an eye toward security. Bob Toxen's Real World Linux Security is a good text, but this doesn't free you from staying current as to the latest exploits and the fixes for them.
Be armed with success stories -- places that have taken the leap and lived. Largo, Florida, is one such place, though the move was from UnixWare to Linux. And have in mind a definite plan for a migration to Linux, with special attention toward it being as undisruptive as possible. This probably means moving servers over first, then desktops, a group or department at a time. Be prepared to smile during enormous griping, because any change will be met with griping. (So, come to think of it, will no change at all.) Again, your skills as a diplomat and teacher will be among your most important tools.
Only when you have gotten this degree of knowledge can you be confident that your sponsorship of a move to Linux will be a career enhancer and will do good for the company involved.
If you're not in the IT business yet but want to be, once you've gotten fluent in things Linux you can and should go ahead and make your pitch. Your goal is to replace all those MSCE drones who are being paid way too much to call Microsoft tech support. There are scads of businesses who get their IT work from outside contractors. You need to sell not just yourself but Linux as well, making the job doubly difficult. One of your best selling points, fortunately, is Microsoft itself. Do not go marching in with some political screed about how intellectual property is wrong and so on. Instead, be prepared to point out the things that are especially good about Linux -- low cost, high security, the inability of one user to screw up the whole system, long uptime, a wide array of high-quality software, quick bug fixing, and so on. You're there to solve a problem that the company may not know it has.
And if you don't get the gig right off the bat, don't worry. Microsoft is positioning itself to become just about as unattractive as possible. And that hypothetical lawsuit looms -- it will surely come to pass. And when it does, you'll be amazed at how popular you've suddenly become.