[lsb-discuss] next version

Dan Stromberg strombrg at dcs.nac.uci.edu
Tue May 6 08:14:52 PDT 2003


On Mon, 2003-05-05 at 15:21, Jeffrey Watts wrote: 
> On 5 May 2003, Dan Stromberg wrote:
> 
> > In the trade press, it is often said that no one knows how much linux is
> > really out there.  Microsoft naturally uses this uncertainty to its
> > advantage.
> > 
> > When UCI started discussing a licensing agreement with redhat, redhat
> > wanted to know how many installations we had on campus.  We were wholly
> > unable to tell them.
> 
> I understand that that can be a problem, but what if you turn it around?  
> Ask UCI (go Anteaters!) if they know exactly how many Microsoft 
> installations they have, and what version they're running.  They will have 
> a number, but is it accurate?  There will be many illegal installations, 
> and there will be many untracked legal ones.

Microsoft has their sales figures for their PR side, and I believe
licensing is done per employee instead of per install at UCI.  Other
sites have their difficulties with microsoft licensing, but that's not
something lsb-discuss is likely to have the power to fix.  lsb-discuss
does have the power to help significantly on the linux side though.

> This isn't a Linux issue - it's a IT management issue.  Most IT 
> departments (especially in academia where staff and faculty are often 
> encouraged to do their own thing) don't have a firm grasp on what is 
> where.

It's both linux and IT, IMO - because if we get a decent lower bound on
linux installs worldwide, people may take linux more seriously and adopt
more quickly.

Installed base matters, as does a "vendor's" grasp of that installed
base.  EG, Microsoft reportedly takes a loss on each iPAQ that gets
sold.  Why would they do that?  To run up their installed base
statistics, to make developers choose their platform and consumers want
to buy their product.  Naturally once they're "established" they can be
expected to start charging enough to profit.

> For example, many sysadmins at Sprint have been covertly running Linux on 
> our corporate-supplied laptops that are supposed to be running 
> Windows2000.  I've been doing so for five years.

I'm not trying to prevent this.

> Our management has a similar problem to yours, and they've been pretty
> progressive.  They've asked our Linux team (which I'm on) to set some
> standards for security and maintenance (for Linux workstations), and the
> policy is going to be that if you do run Linux, you need to either have it
> comply, or you need to seek an exception.  If you do neither, you'll have
> to answer to management.

I'm glad you have that option.  It may happen here eventually, but we
couldn't realistically hold our breath for it, and I'm sure there are
-many- other sites in the same boat.  The best we've been able to get so
far is permission to shut down the network port once something's already
been broken into.

> > There's a need for a simple protocol that can identify a computer, over
> > the internet, as a linux computer, and perhaps even which distribution,
> > so we can get accurate counts.  It should punch through any firewall by
> > default, and be drop dead simple to audit, to deter security problems.
> 
> I'm sorry, but there are large numbers of people and organizations that 
> will NOT allow this.  I can assure you that Sprint will not.  Punching 
> through a firewall?  Are you serious?  Even if you can get everyone to 
> agree to do this, how are you going to implement this?  How are you going 
> to connect to my "system ID server" on my private network when the IP 
> is one of the 10.x.x.x, etc?

I may have written ambiguously.  I meant only to punch through a
personal firewall by default, not a border firewall.  Naturally - the
personal firewall is the only one a linux install, out of the box, is
likely to touch.

I of course have no intention of collecting statistics on private
networks.  The point is only to be able to get stats on public networks,
and for IT folks to be able to get stats on their own private nets.

> I know you didn't specifically say that this server would be required, but
> when you're talking about the LSB that is the logical implication.  Also,
> what would be the point of it if it weren't?  I doubt many of the distro
> vendors would enable such a service by default, given how popular security
> by obscurity is these days.  If no one enables it by default, it's of no
> use for you

I mean for it to take one less click to have it than not to have it,
with a little "You can help linux adoption by leaving this on".  So, on
by default but easily disabled.

> > The usual argument against this is that it allows attackers to know what
> > kind of computer they're going after, making their attack easier.  
> > However, this argument does not hold water.  nmap, queso, xprobe, p0f,
> > scapy and (other) port scanners make an attacker's id job easy anyway,
> > while the lack of a formal protocol preserves the difficulty for an
> > administrator.
> >
> > In other words, an attacker is happy with a best guess, and already has
> > one, while an administrator or linux PR person needs something better.  
> > The additional certainty in the hands of an attacker makes little
> > difference.
> 
> The problem here is that you're describing a general solution to a very
> specific problem.  You're advocating that EVERYONE make their systems
> identify the OS version and distribution version to ANYONE that wants the
> information (regardless of a firewall or security concerns), just so a
> local sysadmin can scan their network.

It's actually very general in two ways.  One is the installed base
statistic I mentioned above.  The other is the sizable number of sites
that need it to help them get a handle on how important linux already is
to them.

> As you pointed out before, nmap and others can already tell you, given a 
> set of subnets, how many computers of which broad OS types are out there.  
> Working with the netadmin, you could easily have him or her scan UCI's 
> network and identify how many Linux machines are there.  So what you 
> really are asking for is a distribution calling card.

I have enough nmap experience to say that nmap isn't really that good at
this.  It often says ambiguous stuff like "Linux 1.3.20 (X86), Windows
XP Professional RC1+ through final release"  This kind of info is quite
good enough for an attacker going after one system, but practically
useless to an administrator trying to assess two class B's, for example.

Yes, a distribution calling card is an optional part of what I was
suggesting.  This part is useful in assessing a network for licensing
purposes, but less important for total linux installed base numbers.

> Here's where I get practical.  Instead of advocating that all of the 
> LSB-compliant Linux distributions require a daemon that can't be shut off, 
> perhaps you ought to have your IT department do a better job of hardware 
> and software inventorying?  You've already said that nmap can identify 
> which systems are running Linux.  Why don't you simply go to their owners 
> and ask what they're running?  More importantly, why haven't you been 
> doing this already?

I'm not really convinced it's -possible- to make something that can't be
shut off.  I guess you could make it hard, but that was never my intent.

Asking people what they're running is extremely impractical at UCI and
other sites.  Not only do we have little info about who has which IP's,
but it would take endless phone tag and cause a lot of grumbling about
us wasting people's time.  We're talking about n*10,000 IP addresses. 
Surely you can see that's just too much for calling around and asking,
even if we had a list of phone numbers?

> Remember, someday the Business Software Alliance will make a visit to UC
> Irvine, and if you can't accurately account for every installation of
> Windows they will happily eat your lunch.  If you don't know what is
> installed where, you've got a bigger problem.

Actually, I think this is a red herring in our case.  Besides, who says
linux can't be -better- than windows in this regard?

-- 
Dan Stromberg DCS/NACS/UCI <strombrg at dcs.nac.uci.edu>




More information about the lsb-discuss mailing list