Why Ubuntu and Too Much Trust Can Be Bad

Christopher Tozzi, Contributing Editor

November 30, 2008

4 Min Read
Channel Futures logo in a gray background | Channel Futures

One of desktop Linux’s chief selling points is its near-immunity to malware. Whether this superiority is due to the Unix security measures that Windows lacks, or to the mere fact that comparatively few people use Linux on desktop computers, it makes Linux attractive in an era when all manner of nasty things can be done to computer users by exploiting bugs in the software they run.While Linux may not suffer from the software vulnerabilities of Windows, however, its users are still threatened by attacks that employ social-engineering—that is, those that dupe users into compromising their systems by running code or installing software without understanding the consequences.

Indeed, on a platform like Ubuntu, where the relationship between users and developers is defined by trust and presumed goodwill rather than financial exchange and a corporate EULA, the opportunities for social engineering are perhaps more abundant than they are under proprietary systems.

The cons of community support

When users have trouble with Ubuntu, the vast majority turn to community-based resources like the Ubuntu forums or documentation wiki. In many cases, at least in my experience, this method is a lot more effective and rewarding than making a call to an outsourced technical-support center and being put on hold indefinitely.

At the same time, malicious individuals thrive in community-based support channels. Even in those that are well policed, like the Ubuntu forums, novice users run the risk of being told to install bad software or run commands like sudo rm -rf /

‘Open-source’ doesn’t always mean ‘plays nicely’
The fact that almost all software on Ubuntu is free presents another opportunity for social-engineering attacks.

On Windows, I’m always cautious about installing free applications, because I know that in the Windows world, developers generally work for money.  If they don’t make money by selling their software, they probably do it some other, potentially destructive way.  I thus think twice before running an installer that I downloaded for free, and for which no source code is available.
Most of the software that I use on Ubuntu, in contrast, is developed by people working for free, who share their work in the hope that it will benefit others, not to make money. I’m consequently much more relaxed about installing software on Ubuntu, even if it’s in a third-party repository. Because trust is central to the model upon which Ubuntu is developed, I subconsciously assume the best about the intentions of people who develop applications for Linux.

I’ve yet to have my Ubuntu system compromised through this trust. But the assumptions of goodwill that Ubuntu encourages among its users present opportunities for exploitation that don’t exist in the proprietary world.

Even if software is open-source, I’m hardly qualified to check the code myself to ensure that it’s not malicious. There’s also no guarantee that pre-compiled .deb packages are built from the benign code that they purport.

Attacks like these are perhaps most troubling because they require few technical skills on the part of malicious individuals.  No one needs to know how to exploit a buffer overflow and execute arbitrary code; they just need to convince an Ubuntu user with her guard down that she should run a Debian package that does more than advertised.

This isn’t to say that Ubuntu users should trust each other any less. But we should be aware of the risks that come with openness and freedom, in order to prevent a malevolent few from exploiting the trust upon which the Ubuntu community is founded.

For the time being, Ubuntu and Linux are still safer by far than Windows and even OS X. But as the market share of desktop Linux increases, attackers may well find that the assumptions of beneficence inherent to the free-software world open up opportunities for social engineering on a scale unprecedented under proprietary platforms.

WorksWithU Contributing Blogger Christopher Tozzi is a PhD student at a major U.S. university. Tozzi has extensive hands-on experience with Ubuntu Server Edition and Ubuntu Desktop Edition. WorksWithU is updated multiple times per week. Don’t miss a single post. Sign up for our RSS and Twitter feeds (available now) and newsletter (launching January 2009).

Read more about:

AgentsMSPsVARs/SIs

About the Author

Christopher Tozzi

Contributing Editor

Christopher Tozzi started covering the channel for The VAR Guy on a freelance basis in 2008, with an emphasis on open source, Linux, virtualization, SDN, containers, data storage and related topics. He also teaches history at a major university in Washington, D.C. He occasionally combines these interests by writing about the history of software. His book on this topic, “For Fun and Profit: A History of the Free and Open Source Software Revolution,” is forthcoming with MIT Press.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like