LWN: Comments on "Eee PC security or lack thereof"

Eee PC security or lack thereof

muwlgr — Sun, 24 Feb 2008 18:49:01 +0000

Is updated Samba .deb from Debian/Ubuntu installable on these Xandros systems ? Or we are in
.deb-hell this time ?

Copy from Microsoft....

ajharvey — Sun, 24 Feb 2008 07:53:45 +0000

It seems a shame to suggest this as Microsoft have had the idea first, but  it seems to me the
best answer is for the O/S as installed to have a firewall that is in a locked down mode (with
all incoming connections blocked) until after the first update has been done.  MS have
implemented this in the latest revisions of Windows Server 2003....

Of course Ubuntu's option is not bad either (no open ports out of box and none until you
actually share somthing)  [Though the newest versions softened that with the network discovery
stuff...]

Eee PC security or lack thereof

ofeeley — Fri, 22 Feb 2008 18:23:18 +0000

Similarly the Fedora Unity Project produce "re-spins" which are installation media based on
the originals but with the most recent updates included. Very handy for avoiding the need to
do network updates after installation.

  http://fedoraunity.org/re-spins

Eee PC hardware

nix — Thu, 21 Feb 2008 07:38:00 +0000

My attitude is, hey, it's not very expensive, and this gives me an excuse 
to learn enough kernel hacking/reverse-engineering fu to help :)

Eee PC hardware

xoddam — Thu, 21 Feb 2008 03:12:20 +0000

I see my initial response wasn't so excellent after all :-(

Sorry.

I guess my googling was insufficiently thorough, or I misread something.  I certainly didn't
think to double-check chipset revision numbers.

On seeing these links, my initial feeling is that I should *help* fill the gap in OpenHAL, but
I don't know the first thing about wifi internals ... by the time I get up to speed (in the
meantime trashing my 100% working toy), someone else will likely have finished the job.

So the real question is, how hardcore a geek do I want to be, today?  Is this a challenge I'm
inexorably called to?

And the answer is ... not much.  I like my eee as it is.  I have no call to hassle LKML with
dmesgs from my tainted kernel :-/

Eee PC hardware

nix — Wed, 20 Feb 2008 12:42:50 +0000

Hm. <http://www.ussg.iu.edu/hypermail/linux/kernel/0802.2/0476...> states that the eee has
an ath5007; <http://madwifi.org/wiki/About/OpenHAL> doesn't list it as supported, and
<http://gentoo-wiki.com/Asus_Eee_PC_701> confirms that it's not exactly functional yet (having
to reboot to turn the wireless off/on is hardly a killer but not very nice either).

Has this changed very recently or something?

Eee PC hardware

nix — Sun, 17 Feb 2008 13:28:25 +0000

Wow. Excellent response.

I have taken note and will be taking delivery of an eee fairly soon :)

Eee PC hardware

xoddam — Sat, 16 Feb 2008 12:28:47 +0000

Etch definitely won't support wifi and 3D out of the box, it might not even  handle the
ethernet.  Sid will probably support it perfectly in a few months, if it doesn't already.

Ethernet and wireless are Atheros; ASUS/Xandros support 802.11a/g using 'legacy' madwifi
(which taints the kernel with a closed-source glue layer) but a fully GPL port (ath5k) is in
Linus' tree for the 2.6.25 release:

http://lwn.net/Articles/266529/
http://lwn.net/Articles/269241/

Googling indicates people have had mixed results trying ath5k on the eee, but since the
successful reports seem to be more recent (and the driver has seen considerable hacking since
it hit -mm a few months ago), I'd expect it to be fine by now.

There's a bare-bones GPL-only debian 'port' called EeeOS specifically targeting the Eee, but
they too are using madwifi.  Apparently they needed a patch for the atl2 wired Ethernet driver
too, haven't checked why.

*Everything* else in LSPCI is Intel, straight down the line.  Graphics is GMA915; xrandr works
perfectly.

Eee PC security or lack thereof

nix — Fri, 15 Feb 2008 21:53:43 +0000

Just checking before I blow money on an eee: does the hardware have any 
components that require closed-source anything? I'd be annoyed to replace 
the OS with Debian or something like that only to find that, say, the 
wireless stopped working or the video card needed a closed-source kernel 
module (to name the two most likely villains).

Eee PC security or lack thereof

xoddam — Fri, 15 Feb 2008 05:31:22 +0000

I'm a *recovering* hardcore geek.

I bought my eee (partly) because it's the first machine I've ever seen that I could buy off
the shelf, retail, and have *everything* 'just work' (on Linux) without having to reinstall or
tweak a thing.

I'd never have run Xandros in a fit before, but having paid for it, I saw no particular reason
to change -- as long as it wasn't broken.  I now realise it always was.

For the moment (until such time as I feel a geekish urge to build Gentoo on it, for instance),
I've disabled Samba.  I might upgrade the package if I find I need to use it.

I had to comment out the lines that start the daemon in usr/sbin/services.sh; removing the
rc.d entries doesn't work.

Eee PC security or lack thereof

nedrichards — Thu, 14 Feb 2008 23:07:50 +0000

I'm pretty sure it comes with Firefox 2.0.0.7 as well which is somewhat out of date. No update
in the repos either that I saw.

Eee PC security or lack thereof

jmm — Thu, 14 Feb 2008 22:01:04 +0000

> A vendor installing Fedora 8 or Debian etch today will be behind on
> countless security updates. 

Debian releases regular point releases of it's stable and oldstable release, which incorporate
all previous security updates.

Multiple problems, lack of security awareness

bfields — Thu, 14 Feb 2008 20:16:13 +0000

I thought most attacks these days were on clients (especially mail and web clients), not
servers?

But that would at least address the "how do you get security updates on first boot"
problem--just get them installed before starting the web browser....

Not just Samba

ayeomans — Thu, 14 Feb 2008 12:37:11 +0000

I dropped a note to Asus about the Samba vulnerability on 19th Dec 2007.
 
And mentioned:-
"But I think this type of serious security vulnerability ought to have an official security
release for everyone. Ditto for updates to Firefox and Thunderbird.
I would not want the reputation of the Eee PC to be spoiled due to security problems, and with
Linux it should be easy to get an excellent automatic update process in place."

So far, all I've heard is that the correct department have been informed. Not the speedy
respose I would have liked to see.

Multiple problems, lack of security awareness

cortana — Thu, 14 Feb 2008 12:16:25 +0000

Doesn't Ubuntu ship with avahi enabled by default?

iptables vs chkconfig off

tialaramex — Thu, 14 Feb 2008 10:16:41 +0000

On a laptop though, it's unlikely that you have a multi-homed network scenario, so surely
"open to the local network" is basically only the alternative to "disabled". So in general
users who don't want services accessible to "the local network" should just switch those
services off altogether.

One thing I don't much care for (including in Red Hat's offerings) is adding a service,
enabling it by default, and then firewalling it so that no-one can use it. This is pointless.
Just disable the service by default, and eliminate whole classes of vulnerabilities at once.

Eee PC security or lack thereof

mjcox@redhat.com — Thu, 14 Feb 2008 08:52:15 +0000

What doesn't help is that the iptables module is not available on the default Eee PC kernel,
so without a firewall the various services ASUS have enabled (samba, portmap, cups, ... ) are
open to the local network.

Eee PC security or lack thereof

hildeb — Thu, 14 Feb 2008 08:14:23 +0000

Most people I heard of either:

* removed the preinstalled OS (since they're hardcore geeks) and 
installed Ubuntu/Debian
* removed the preinstalled OS and installed Windows

Multiple problems, lack of security awareness

Cato — Thu, 14 Feb 2008 07:08:46 +0000

One major part of this problem is that Samba was enabled out of the box - I would have
expected the eee PC to be set up as a pure client, like Ubuntu Desktop is, i.e. absolutely no
open ports for servers.  Of course, if ASUS had simply used Ubuntu with minimal customizations
on top, they would have had updates for free, as with most other non-embedded distros.

It would also be sensible to have a simple firewall installed with a GUI to configure it, to
ensure that Samba could only be used (say) within a home LAN.

Some sort of safe-mode in which no server ports are allowed would be a good idea as well.

However, there also needs to be some awareness on the part of eee PC users that this is a
powerful device that must be security updated - more like a full PC than an appliance, but the
same is true of any device with a web browser, e.g. most mobile phones these days.

Good suggestion

midg3t — Thu, 14 Feb 2008 06:59:55 +0000

I like your suggestion of requiring security updates upon first boot.

Of course there would have to be a small button that says "No thanks, I know what I'm doing"
for when the update server is unreachable.

You missed the point

JoeBuck — Thu, 14 Feb 2008 04:19:09 +0000

If a vendor sells someone a Linux machine, with a distro on that machine that is several months old, it might take a half hour to download all of the updates. During all that time, the machine is on the net. If that machine is only going to be operated on a home or corporate network behind a firewall, that interval might be safe enough to deal with. But if the user is more directly on a public network, he/she might be rooted before the updates complete. Once a single vendor has sold close to a million machines, that's a target that the black hats might consider going after aggressively. And if it comes up with Samba enabled by default, complete with remote root exploit, and this is known ...

So it isn't good enough to have a "notify that there are updates" mechanism.

A vendor might mitigate that risk by coming up initially in a "safe mode", where the very first thing the user does is grab the updates, with as tight as possible a firewall installed. If the purchaser of a new box pretty much has to install the security updates before having a fully functional machine, that should mitigate security disasters.

If vendors won't do the responsible thing, then we have to make sure that users understand that security updates are not optional. And if a vendor doesn't provide adequate security coverage, then we need to shame them into it.

Notifying users of updates

midg3t — Thu, 14 Feb 2008 03:48:05 +0000

Update-notifier is a useful part of the solution.