Friday, November 21, 2014

Running a Linux Desktop Does Not Equal Security Part 3

Previously:
Part 1 and Part 2

I have never believed any of the periodic nonsense about "This is the year of the Linux desktop." There are significant deployments, but even 10% market share is probably several years away. Meaning it may never happen. While I like KDE I don't regard this as necessarily bad. As I mentioned previously, obscurity continues to provide at least some measure of protection, from some adversaries.

Of course, the KDE project and probably the majority of KDE users will have a very different idea about the desirability of widespread deployment. So, here is something that might help that along, and I wish some other projects would it as well.

Present a Clean, Reliable Security Advisory Notification Mechanism

Other than in the personal/home use arena, and particularly in environments where there are relatively strict security policies, it is common for deployment teams, and/or any security team which may be tasked with advising them, to need all the notice that they can get. This includes notice which might occur before any update notifications from the final supplier of the software.
This is even being included in some compliance regimes. Here is a quote from the Payment Card Industry Data Security Standard (PCI-DSS), Version 2, Requirement 6.2. This is the October 2010 version, not the latest. I am using the version in which the language first appeared, in order to demonstrate that this is hardly a recent thing.
While it is important to monitor vendor announcements for news of vulnerabilities and patches related to their products, it is equally important to monitor common industry vulnerability news groups and mailing lists for vulnerabilities and potential workarounds that may not yet be known or resolved by the vendor.

Patching deadlines, by severity, are also quite common. The very first version of PCI-DSS established a one-month deadline for critical patches.

According to KDE Security Policy BugTraq and kde-announce@kde.org are the list announcement venues. I was unable to find the notification browsing the BugTraq archives, though I looked well back into October. I found a reference to Konversation, but that was posted by the Debian Project, not KDE. It looks as if the published Security Policy is not being followed in this respect.

While the appropriate announcement was present in the kde-announce archives, searching those kde-announce archives was problematic, in that using a subject of 'security', it turned up only the latest result.

Also according to KDE Security Policy, "All security alerts are published on http://www.kde.org/info/security/." That page currently contains about 80 alerts, so it seems a more reliable data source. Which means security teams should probably write a scraper/parser/notifier for it. And compare it's output from final-supplier notification channels over time. Trust is built slowly, especially when there are existing problems.

Given lack of timely patching continues to cause an enormous amount of trouble for all concerned (it has been responsible for a large number of breaches) it would have been nice if I could have delivered a glowing report regarding KDE. Or at least their notification system. Unfortunately, I can't.









No comments:

Post a Comment

Thanks for your comment; communities are not built without you.

But note than comments on older posts usually go into a modertion queue. It keeps out a lot of blog spam. Weird links to Web sites hosting malware, marketing nonsense, etc.

I really want to be quick about approving comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.