The Linux security spell is broken

I’ve been dipping into the coming-technology–overlord-no-more-freedom-apocalypse well quite a bit in recent weeks, so for a change, we’ll leave that robot rabbit alone today. Instead, let’s turn our attention to the mythical unicorn known as the totally secure Linux server.

But before we go there, I need to get this off my chest: Zuck, you unfathomable weirdo. Not a month since Google made my skin crawl with DeepMind, you drop 97-plus percent accurate facial recognition into social media and lob me DeepFace?! C’mon!! Why would you call it that? Did you lose a bet? Is it related to an unfortunate bout with high school acne? You’re killing me here!

Whew. I think that’s it. Now back to our regularly scheduled programming.

Linux: Another notch on a hacker’s keyboard

Recently, security researchers at Irish think tank ESET uncovered what they’re calling Operation Windigo, a Linux-capable backdoor Trojan that may have infected up to 25,000 Unix servers worldwide. Those, in turn, have been attacking up to 500,000 PCs — like yours and mine — on a daily basis since then. When discussing this with a reader via email, the quote came up: “You know it’s bad when even Linux machines need to worry about security.” I coughed up fine, aged scotch on that one — I figured that readers of this column would know better. Speaking of, here it comes again …

By Jove, the Turing prize and the Snowden Certificate for Creative Intel Gathering will surely be mine upon receipt of this revolutionary formula: DeepMind + DeepFace = DeepProbe. Let that one sink in.

According to ESET, Windigo isn’t exploiting an undiscovered weakness in Linux or OpenSSH. This thing has to be manually installed, which means the wart-spouting troglodytes cracked the credentials of up to 25,000 servers, most likely remotely unless they’ve been faking their way into data centers worldwide wearing janitor uniforms and reading the passwords that were probably taped to each server bezel. Those admins, much like my poor reader who shall remain nameless, seem to be of the same mind: Linux is Unix as well as little-used, so we don’t have to worry about serious security.

How are you supposedly fighting the NSA and moving invasive data mining forward in leaps and bounds simultaneously, Zuck? I’m going to write my own app and call it DeepCheeks, and I’ll give you one guess what that’ll let you recognize with 97 percent accuracy.

Linux accounts for more than 60 percent of servers worldwide, a figure first cited back in 2008. That’s a lot of servers running a lot of mission-critical software, which completely invalidates the pipe dream that the bad guys are ignoring Linux in favor of the supposedly weaker and more numerous Windows Servers.

The Android connection
Linux servers are huge targets with undoubtedly more valuable data per machine than anything hackers could swipe from Linux desktop machines. Yes, there are Linux desktops in existence, no matter what your parents told you. Those folks might — might — have a legitimate argument that their numbers are too small to warrant cyber villain attention. But lest we forget, Linux has somewhat recently vaulted to the desktop and attached itself firmly to tomorrow’s most popular computing form factor, the mobile device, with up to 80 percent market penetration, depending on which of us raving pundits you believe. From phones to smart wearables, Android is there, and it’s a Linux derivative.

DeepFace? Really? With all your billions, you can’t stop reading vintage comics long enough to hire someone with enough creativity to invent software names that won’t give children nightmares?

Unfortunately, Android users and Google both seem to subscribe to the Linux-is-more-secure mythology. Google touts Android’s design as a sandbox implementation that’s isolated from the rest of the system as its big security advantage, but when users install software they’re presented with a mostly binary operation: Yes, install and accept the app’s access to your device, or no, don’t install. That’s not much of a security model.

Google’s even argued that the security industry is exaggerating Android’s threat levels in order to increase profits, which is a little weird coming from the King Solomon of the software world. Google did introduce a malware scanner in Android 4.2, and that’s getting competition from third-party security software, but Google’s made sure to limit their effectiveness with the aforementioned sandbox architecture — which I’m sure has nothing to do with giving the NSA an easier time whenever they feel like hacking into your phone via Angry Birds. Google didn’t even introduce remote wipe until last year!

DeepFace doesn’t impress me at all, dude. It makes me want to get into DeepScotch with DeepDepression cultivating a sense of DeepForeboding and DeepDisappointmentwithYourEthics&SoftwareNames. For Pete’s sake, step it up!

Your servers are sitting ducks
Alas, Windigo didn’t attack Android, though I’m sure it could be modded to do so. It attacked servers, which I’d say is worse. Those machines were apparently weak on authentication, probably because admins were lulled by a false sense of safety, used easy-to-remember passwords, and didn’t employ basics like two-factor authentication or antivirus. Like launch codes or wizard nipples, server authentication must be protected at all costs. If this is news to you, plenty of step-by-steppers and helpful tips are available for securing your box.

ESET is recommending that admins rebuild servers from the ground up. According to their research, the exploit has root access, so nuking from space is the only way to be sure. That’s hard cheese to swallow for most server admins, but maybe it’s the push those folks need to take off the blinders and wade into the sad security reality the rest of us are living in.

Damn DeepFace. Thanks Zuck, now I have a stress headache.