Forgot your password?
typodupeerror
Linux Business

Desktop Linux Sliding in Under the Radar? 742

Posted by Cliff
from the stealth-penguinistas dept.
Paul Johnson asks: "This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications, but there is a wider issue. At present the 'official' penetration of Linux into the desktop market is something around 1%. The writer of this article doesn't give figures, but it sounds like he may have stumbled on several times that percentage of desktop Linux installations. If so then this is an important trend. Linux got its foot in the datacentre door in exactly the same way a few years ago, with unofficial installations doing odd server jobs. If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"
This discussion has been archived. No new comments can be posted.

Desktop Linux Sliding in Under the Radar?

Comments Filter:
  • by BabyDave (575083) on Thursday July 31, 2003 @06:50PM (#6583730)
    If you are a sysadmin, in an organization that runs Windows on the desktop, have you stumbled on many unofficial Linux installations?"

    I tripped over my mail server last week. Does that count?

    • Re:Not exactly ... (Score:5, Informative)

      by Jeremiah Cornelius (137) on Thursday July 31, 2003 @07:20PM (#6583956) Homepage Journal
      This has been going on for YEARS. I was doing so at Schwab in '97 - and reading "Chips and Dips" and "Rob Malda's Window Maker Site".

      I got about 4 or 5 of the Unx admins and a good number of the DBS'a doing this too.

      In small shops - we had 6 Linux desktops running at the Multi-Media Developer I worked at in '94. XFree on ATI Mach32, anyone?

      • Re:Not exactly ... (Score:5, Insightful)

        by VPN3000 (561717) on Thursday July 31, 2003 @09:17PM (#6584550)
        I am not buying into this article for the fact that I've worked in large 'shops' of 2,000 workstations up to about 8,000. None of these shops would find, then allow a non-approved OS to continue to run on their networks. This type of thing is basic "Information Security did a weekly scan, found it, helpdesk siezed the machine and re-imaged it with Windows 2000" routine.

        I used to agree with giving employees freedom to run whatever OS they are comfortable with, but you have to keep into consideration the Information Security view on things. A *nix OS with a few network tools installed, gcc, and some skills can lead to a lot of problems for the company.

        Think that's silly? Think again. Think about doing technical support for bitter and unthankful lusers. Your boss is an asshole. You make $23k/year and missed your shot as an [insert engineer/developer position here] before the bubble popped. No hope for a future with the company since they have a revolving door system in place where 3/4 of the low-level staff is on temporary contracts that expire every 90-300 days.. I know, it's sad and I've seen a lot of talent from people stuck in these types of jobs and feel terrible for them. But, this is a common person in technical call centers. I've seen enough from that single profile to type pages, but I'll stop and save it for another post.

        Do you trust this employee enough to let him run FreeBSD? You want him having direct access to the 'net without a proxy? I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits. What if he's okay but his box ended up getting owned because he downloaded bad BitchX source? That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical. That's the tip of the ice berg when it comes to what happens when your office gets owned. Even if workstations are usable, every workstation on the local subnet and server they have ports open to via the firewall have to be investigated. This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again. Somewhere around noon, the guy from Public Relations will likely be on the phone wanting to know what to tell CNN when he calls them back. Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share. That's potential millions depending on how big your company is.

        Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax. I'm very pro-Linux/BSD, but not in an enviroment where it's not needed (All those workstations came with an OS you paid for anyway). I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.

        My stories are actual events portrayed by actors.
        • Well, I work at a large company. There are about 800 people in my building alone and they all have at least one computer. I have two on my desk. The first is a corporately supported Windows one. The second runs linux. I just popped in the Knoppix based Morphix live CD, got it working and then 'click' installed it to my hard drive. Well maybe not quite so easy and btw I am an IT guy.

          But the point is that no one knows it is running linux. The funny thing is that when I set it up I named it 'Joe' and then I

        • Re:Not exactly ... (Score:5, Insightful)

          by Geek of Tech (678002) on Thursday July 31, 2003 @11:16PM (#6585196) Homepage Journal
          Not trying to be flaimbait, but, uh, if someone had a desire to compile a program, couldn't they just download MingW32 or DJGPP or something else?
          I don't know about your company, but at my school (I was resident Geek), we set it up so that the DHCP server would automatically set the proxy up as a gateway. We never had any problem about people accessing the internet without going through a proxy.
          And aren't the chances actually better of getting some form of backdoor greater for windows? Picking them up via email, bad downloads, even browser security flaws.

          I see where having an unauthorized anything running could be a problem, but just linux in general, no, danger isn't in the software as much as it is in the hands of the user.

        • Re:Not exactly ... (Score:5, Insightful)

          by BrokenHalo (565198) on Thursday July 31, 2003 @11:32PM (#6585283)
          I'm sorry, but I believe your post is largely FUD. It really depends on what type of work your shop needs to do. If you have a large number of people using their computers for a range of operations, it is counter-productive to force staff to use any operating system that, for whatever reason, they see as sub-optimal, no matter whether it be Windows. MacOSX or BeOS.

          In my case (I'm a scientist) I would be seriously inconvenienced if some pointy-headed bureaucratic fool came along and overwrote my Linux partitions with Windows, and my immediate reaction would be to take it up with his boss.

          You seem to be operating on the premise that all staff are luddites, vandals or criminals and not to be trusted. I would have thought that, far from losing sleep over this, you should be pleased that this is one person who is not going to be passing out viruses via Lookout Express. In any base, as long as you implement sensible policies (firewalling, quotas or whatever you need to do) there is no reason why your network should not operate transparently without applying unnecessary restrictions.

          • Re:Not exactly ... (Score:5, Insightful)

            by VPN3000 (561717) on Friday August 01, 2003 @08:15AM (#6586770)
            No FUD, sir. Information Security groups have got to view the employees of a large company as untrusted, unproven people as a whole. Our capitalist and litigation happy society requires this. It's not like when you go through any other form of security it's loving and trusting. Look at airport security, the police, anything to do with protection usually starts off with the attitude of not being too terribly trusting.

            Also, I was not trying to give a full IS proceedure, just a quick run of some thoughts of what I have experienced in the past decade.

            For starters:

            Linux, MacOS, etc is not 'sub-optimal', if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.

            Your situation is what would be considered a special case by an IT staff. You are a scientist. Silly goose, you will probably need all kinds of things a typical employee will not need. Think about the percentage of scientists versus customer service reps and support people in call centers. Think of the costs associated with each one of these people anually versus what you cost. It's a big difference.

            You speak at the end about trust and the suggestion that a network operate transparently without many restrictions. You have to understand that most companies are not in the ISP business for their employees. If you sit down in front of a computer in an office, it's their network, their assets, their butt on the line, their bandwidth costs, etc.

            For example, I have worked in a group who's new office was suffering terribly. About a 1400 user network, but the bandwidth leaving the building was always pegged. Upon watching traffic for a few days, it appeared that a major portion was porn and streaming media traffic. We implemented a filter file for the proxy and traffic went from ~97% down to ~30% utilization. This sort of thing is very cost effective and saves people from themselves (female employee walks up on porn mongering male, female complains, male goes unpunished, female cooks up discrimination suit, etc -- just preventative medicine, not a cure for a likely issue in the future).

            I guess those who are knocking my tales have never been exposed to a real IT group before. Either that, or they are prepared to lose their jobs someday due to a lack of enforcement or policy that matches your typical fortune 500 company. The suits will not have much pitty for your balls to give excess freedom to employees with their investor-purchased resources.

            The downfall of your average geek is the inability to ever see things from an executive, bean counter, or investor's point of view. Threats are real, liability is real, the end result of your investments are real. The joy of an office behind a very trusting packet filter is short lived and a flagerant disregard for company assets, especially if the company is publically held. Your investors are well within their power to take you to court and sue you for every dime you have if there is big enough loss associated with an act that was easily prevented. We never know the limitations of these types of suits because they are civil and not criminal. In a civil suit, you never know if you are going to be made an example. For instance, the massive settlements on people burning themselves with McDonalds coffee. You just don't know what's going to happen. At least with a criminal case, there are boundries clearly defined by law.

            You go back to being a scientist and I'll go back to saving people like you from yourselves with your lack of understanding regarding the need for real security policy. I promise I won't pick apart or call FUD when you speak of something technical regarding your line of work... That is, if you don't tell me ficticous realities about how e
            • Re:Not exactly ... (Score:5, Insightful)

              by madfgurtbn (321041) on Friday August 01, 2003 @08:49AM (#6586950)
              You are scaring me... :-)

              First a minor quibble--you say:
              if your corporation purchased copies of Windows with their workstations, it seems like an even larger disregard for cashflow to not utilize what they paid for. Your scientific and my engineering minds think 'Well, I get more done in Linux', of course we do, but when you sit in with a Loss Prevention group the removed/unused copies of software are considered a total loss.

              If a worker is more productive in a differennt OS or Office Suite or whatever, then the monetary cost of that unused software is insignificant. Not to mention that the company shoulnd't be buying software unless it will be used.

              The bigger problem with your entire post and attitude toward users is best seen here:

              People need to quit thinking they have rights to anything in an office. You do what they say or find work elsewhere. There's a big job market out there right now, lots of options, right? :)

              I see the smiley, so I'm hoping this is mostly a joke, but if a company harbors contempt for it's employees, it is doomed. If the option is "my way or the highway", the good employees will eventually choose the highway, regardless of the economy. All you will have left will be compliant losers who don't think for themselves, managed by control freaks who have to do all the thinking for them, deciding which color pen to use.

              Or which OS.
            • Re:Not exactly ... (Score:5, Informative)

              by grmoc (57943) on Friday August 01, 2003 @01:06PM (#6589428)
              Unfortuantely a lot of management/business types really DON'T understand sunk cost.

              You should buy something you want to use.
              Using something simply because you bought it is moronic.

              The waste happens on the purchasing side, not the usage side.

              This is not a 'geek' view, this is a good economist/businessperson's view, and for anyone who disagrees with it, here is a good example.

              You're stuck on a desert island. You knew you would be stuck here. TO prepare for being stuck here, you bought some cyanide-based glue (i.e. superglue). Your major problem is that there is no food on the island. Do you
              1) Eat the cyanide-based glue
              2) Don't eat the cyanide-based glue

              The "Well, it would be going to waste if I don't eat it" argument obviously doesn't work here. If you don't get the right tool for the job, you shouldn't be forced to use it-- The damage is already done, no need to exacerbate it.
        • Re:Not exactly ... (Score:5, Interesting)

          by Malcontent (40834) on Friday August 01, 2003 @12:03AM (#6585414)
          Very few large corporations have the time or the tools to patch hundreds of MS desktops. As a result in every corporation there are hundreds if not thousands of vulnarable windows desktops and cluless IE users merrily surfing the web and getting hacked by script kiddies.

        • Re:Not exactly ... (Score:5, Interesting)

          by tkg (455770) on Friday August 01, 2003 @12:47AM (#6585617)
          Well, my employer allows virtually any os that a given user might need to run (we're a research facility). The IT people do regular vulnerability scans of the network and the linux users that I know (myself included) have never failed to pass the scan. The same can't be said for most of the MS users, or event the Solaris users for that matter. I don't hear much from the MAC users.

          I guess my point is that it is not so much what os a person runs as it is the IT policies and how well they're enforced. Keep up with security patches, don't install untrusted software, good password policy, etc. These things aren't unique to any particular desktop OS and any user could potentially violate them. However, any user that depends on their system for everyday tasks isn't going to intentionally munge it up since they lose the use of it while you may be inconvenienced with rebuilding it. There is always the danger of the 'malicious insider' and we risk it every summer with an influx of student help that always includes some idiot that will try 'bad things'. Deal with them swiftly and harshly and make sure everyone knows about it and you can keep it to a minimum, but you can never eliminate the risks completely.
        • Re:Not exactly ... (Score:5, Insightful)

          by hellraizr (694242) on Friday August 01, 2003 @12:55AM (#6585649)
          I think most people are missing the point here. most, AND I MEAN MOST companies are not huge corporate giants running 3 flavors of oracle/informix/peoplesoft. in fact, most huge places still don't run windows. I have worked for 3 seperate companies where almost every male employee ran linux. especially in ISP and hosting/datacenter enviornments. this view is typical of the MCSE type IT person who eats, sleeps, sh!t's and breathe's micro$oft and ZDnet. I personally have noticed alot more personal freedom to run whatever OS you choose, as long as your firewalled or are fully capable of doing your job. I haven't used windows in the work place since Netware 5.00 was released and I don't see my self doing it any time soon either. another thing to point out. you made a mention of proxy? again, purely micro$oft induced thinking. proxy servers are great for low bandwidth connections but are extreemly exploitable by nature. in trying to put up a protection point you expose your self to the internet even more. true ip routing and firewalls are your best bets for internet access and security. also they allow you to control alot more of what your company can do online without infringing on exec's ability to communicate in private. the internet and corporate computing were built on unix, are _STILL_ unix based in some variant or another, AND ALLWAYS WILL BE. it still takes a farm of dual xeon windows boxes to do what 1 p3-ghz with 256mb ram unix box can do in it's sleep. in the broader scheme of things I personally see linux coming of age in the workplace as a desktop OS. new tools enable it to be far more expandable, secure, and user-friendly than windows can ever be. if your a stickler for IT security, there is no reason on earth to run windows in a corporation. the NSA said it best "There is not enough man power in the entire US government to secure windows for proper use by federal agencies".
        • by 0x0d0a (568518) on Friday August 01, 2003 @04:35AM (#6586285) Journal
          1) You have to be kidding. You can use attack software on *any* OS. Linux is no weaker (and actually a bit stronger in that it has some semblance of local security) than Windows here.

          2) If you sieze machine and reimage them to fit with some policy you're following, your ass would be heading out of town from mass user complaints at any company I've been at. You are IT. You are present to help workers get their damn work done, not to push some random personal agenda. If you wipe an entire system and kill that employee's work, you are a serious impediment to getting work done. I simply am amazed at the total lack of regard for the employee, and lack of perspective you've displayed. You could disconnect the thing from the network. You could ask the user to move his files to another machine so that you can reformat it, though I think you're already pushing the limits. But when you simply grab a machine and reformat it, you're in a position where you are a liability to your company. When the developer tells his boss that IT wiped out his work, his boss tells his boss, and his boss tells his VP, I guarantee that your boss will not cover for you.

          You want him having direct access to the 'net without a proxy?

          WTF does this have to do with what OS you're running?

          I doubt it, especially not after that email where he asked questions about what type of traffic you monitor and how you do audits.

          This is ridiculously paranoid. I've seen the occasional IT type who considers the users he is supporting his enemies, but this is beyond belief.

          What if he's okay but his box ended up getting owned because he downloaded bad BitchX source?

          What if the same damn thing happened because he downloaded a Word file to his Windows box? Which of the two happens in far greater numbers?

          That would mean another three day stint of no sleep doing emergency penetration tests, mirroring HD images, finding the exploits, sitting in meetings and explaining what all was affected hoping you didn't miss something critical.

          You've worked in an 8,000 unit shop and you honestly believe you have zero penetrations? And your setup is such that you need to spend three days and nights mirroring HD images *after* an attack?

          This brings productivity for the money-making sides of the company to a crawl while sysadmins and security folks work to get things safe again

          And again, WTF does the OS have to do with this?

          Likely, there will be a news source online with details of how the exploit took place, but completely wrong and now the public and shareholders are going to wonder if credit card numbers were stolen, your ability to properly maintain infrastructure, etc. Then your stock price falls $2/share.

          Ridiculous. This is a theoretically possible but completely impractical story of what might happen in an attack.

          Sorry to ramble, I just wanted to stress the importance of IT policy and the headaches that can happen when the policy is too lax.

          Amazing. God, I'm glad the IT people that support me have different views.

          (All those workstations came with an OS you paid for anyway).

          The infamous sunk cost fallacy. Which they teach you to avoid in Business 101.

          I also think this treatment of unapproved OS's is very common due to thoughts and situations like the one above.

          It's not. That kind of behavior from IT would generate serious user complaints where I work. Matter of fact, IT is trying to quickly adapt to support people that want to use Linux here, and has compiled resources for them. That's what I consider doing a good, solid job. Helping the users instead of attacking them.
          • by schon (31600) on Friday August 01, 2003 @08:55AM (#6586986)
            While I agree that the previous poster is overzealous, there is a kernel of truth in some of what he says.

            You are IT. You are present to help workers get their damn work done, not to push some random personal agenda. If you wipe an entire system and kill that employee's work, you are a serious impediment to getting work done

            In most companies, the standard OS is hardly a "personal agenda" - and the worker that installs a new OS on his/her computer without authorization is hardly "getting work done".

            Most large companies I know don't allow you to keep your work on your local machine, as it makes all kinds of problems for backups, upgrades, and hardware trouble. Instead employees save all of their work to a central fileserver, which gets backed up on a regular basis. Re-imaging a machine is not a big deal. Even the place I work now (total of 20 employees) does this.

            WTF does the OS have to do with this?

            If the sysadmins don't know Linux, then they won't be able to fix the breakin.
  • by pjack76 (682382) on Thursday July 31, 2003 @06:51PM (#6583738)
    I have this fantasy where I walk into work and everyone's installed Linux on their own and I don't have to image another NT workstation ever again, and I realize I've died and gone to heaven where the bad men can no longer hurt me.

    Is the sysadmin sure he wasn't dreaming?

  • IT headaches (Score:5, Insightful)

    by niko9 (315647) on Thursday July 31, 2003 @06:51PM (#6583741)
    "This article at ComputerWorld describes a sysadmin's discovery that many people in his company are installing Linux on their desktops without consulting IT. The writer is concerned with the security implications,..."

    This could make the case for desktop Linux look worse, if people are not securing their dektops and/or keeping up with security updates.
    • Re:IT headaches (Score:3, Insightful)

      by 1lus10n (586635)
      no worse than the average NT/2000/XP install.

      and i highly doubt they were "unsecured", if these people went through the trouble of installing linux on a work machine they probably have moderate clue.

      and im not going to point out that no matter how "secure" your personal workstations are, that once a cracker penetrates that far into your network your screwed.

      this guy sounds like he is getting overly paraniod about something he more than likely doesnt understand.
      • by el-spectre (668104) on Thursday July 31, 2003 @07:53PM (#6584158) Journal
        The point is, a sysadmin can patch and update winders machines remotely and en masse. If he doesn't know about the linux machine, then he obviously has a hole in his security plan.
        • by 1lus10n (586635) on Thursday July 31, 2003 @08:00PM (#6584192) Journal
          now that i can see the point of, but perhaps instead of viewing linux has a second teir "problem" he should talk to the people who installed it and find out what they can do.

          i have a local gentoo build server with 2 python scripts, and some cron jobs my systems are updated daily on my home network (14 machines. varying from athlons, to mips, to alpha) (not running gentoo on the mips, that runs irix [octane])
        • by boomer_rehfield (579777) on Thursday July 31, 2003 @08:10PM (#6584240)
          If there's a box on his network that he doesn't know about then either he needs a new network analyzer or new networking people that know what they're doing. Not trying to be a jerk but you should know what is on your network and if you don't, then you're not paying attention and/or trying hard enough.
          • Right-o!

            SW-1# conf t
            (SW-1-config)int range fa0/1 - 48
            (SW-1-config-int)switchport port-security mac-address sticky
            (SW-1-config-int)switchport port-security maximum 1
            (SW-1-config-int)switchport port-security violation shutdown
            (SW-1-config-int)switchport port-security aging 0
            (SW-1-config-int)^Z
            SW-1# wr mem

            Not foolproof, but better than what most people have configured today.

            When they connect that second device to their stealth hub or switch, your switch will cut them off (Seeing a second connect

        • " The point is, a sysadmin can patch and update winders machines remotely and en masse."

          Really? How?
    • Re:IT headaches (Score:5, Interesting)

      by vsprintf (579676) on Thursday July 31, 2003 @07:36PM (#6584052)
      I can see where there might be some security concerns, but I think the real concern for IS (IT, whatever) is being in control.

      I work for a company that was heavily Unix (and X-terms) until the LAN somehow became all MS PCs. Now people and projects are insisting on replacing not only MS but Sun and SGI stuff with Linux. We are meeting heavy resistance from IS.

      They are claiming that it costs more to administer a Linux box, even though we've been in meetings and showed that it wasn't true, based on recent experience. They refuse to give even knowledgeable users superuser privileges on their own machines, although Windows users can install anything or delete everything on their boxes at will.

      To me it appears that some of the people in IS are afraid of being made less powerful, less needed, and less relied upon.
    • by twitter (104583) on Thursday July 31, 2003 @08:54PM (#6584452) Homepage Journal
      Security? Give me a break. The article was written by someone plauged by a windoze worm. That's how they made the "discovery", the poor man had to walk all around the building to fix the thing. How does anyone leap to the total non-sequetor:

      The weaknesses from the rogue installs ...come from the installation of third-party applications and utilities, which can leave a desktop or server vulnerable to attack if set up incorrectly.

      Huh? What total Microsoft brain washing! What is a "third party application" in the free software world? This dude has his head shoved so deep into the M$ world that he confuses all the crap and spyware that accumulates on windoze boxes and runs as root with free software. I don't know how he's transfered his complete lack of control over Windoze onto software that works. I don't get it.

      He goes on, after mentioning that he might be man enough to run Red Hat. He thinks it could do his company good to replace the hideous pile of Word Docs that is their QA tool because it sucks to have to do a "word search" to find information in the 300 reporst/year they generate. So true, just putting those things on a Samba server so you can use grep and find would be really helpful. Imagine how nice his life would be with a nice little mySQL/PHP webform for entry and search instead of a Word template. Progress, forge on brave man!

      But, oh no, he shrinks from the fear of vulnerability:

      For example, there always seem to be vulnerabilities associated with programs such as file transfer protocol, sendmail and Apache. And other open-source software is vulnerable, especially when the developer hasn't written the program with security in mind.

      Poop. Plain and simple poop. Sendmail handles most email. Apache handles most web sites. Who needs ftp when you've got ssh? Well, anonymous ftp is a nice way to share big piles of files and programs like proftp are plenty secure. This is total shit to scare people who don't know what file tranfer protocal is, but like the ease of windoze file sharing. It's ignorant if not intentionally misleading. This line says volumes:

      We can't eliminate Linux

      No, but some fools wish they could. Other people everywhere are learning all the good things free software can do for them.

      Anyone who's worried about security should use Debian's stable distribution. Not only is it all field tested, upgrades can be applied everyday from http://security.debian.org via shell script. Unlike the windows world, these updates install easily and don't break other "third-party" applications.

      You say:

      This could make the case for desktop Linux look worse, if people are not securing their dektops and/or keeping up with security updates.

      That seems to be the intent of the article. Fortunately, only the very ignorant will pay attention to such nonsense and it can easily be deflated. Microsoft is going to have to try much harder than this to keep people away from superior software. Then again, I'm not sure how they can do that. The thing that makes the best case against the Windows desktop is it's record. That now including the author's laborious treck around his company caused by yet another Windows failure. There is not software anywhere with such bad performance.

  • I'm not a sysadmin (Score:5, Informative)

    by SquadBoy (167263) on Thursday July 31, 2003 @06:52PM (#6583744) Homepage Journal
    but rather a network guy but I have 3 Linux boxen that MIS does not know about and the dept laptop is booted with a Knoppix CD about %90 of the time.
  • Undercover LINUX (Score:5, Interesting)

    by Anonymous Coward on Thursday July 31, 2003 @06:52PM (#6583746)
    I work at the comptuer science department of a major universtiy, we've got runaway LINUX everywhere. We've gone so far as to restrict our switches by MAC address and no longer allow anyone in our network unless they tell us what OS they are running and have installed all the security updates.
    • by innosent (618233) <jmdority&gmail,com> on Thursday July 31, 2003 @07:31PM (#6584018)
      We've gone so far as to restrict our switches by MAC address and no longer allow anyone in our network unless they tell us what OS they are running and have installed all the security updates.

      Ok, I'm confused here. What exactly is extreme about limiting access to known MAC addresses? Any sprawling network where access to the backbone (i.e. wallplates) can't be controlled should do this. It's just common sense.
      As for not allowing anyone on without them telling you what they have, how do you make sure they keep updating? Was it fine for people with WinXP boxen to join the network when XP was first released? Being "up to date on patches on 10/07/02" is great, but utterly meaningless if no patches have been installed since then. Having a required set of patches is nice, but having a good security policy is far better.

      Of course, I've always wondered about college networks, since they seem to prefer sending nastygrams or denying access to users, rather than prevent users from doing those things. Want to stop shared folders, file sharing, worms?, set the switches to only allow traffic to pass completely through the switch, not between ports on the switch.
      Besides, the average user has no need to be accessible from any other machine, and especially not from outside the local network. Use NAT, separate users from each other, and be done with it. If a user gets a virus/trojan/worm, f@*k-em, at least it won't spread through the network.
  • by cfl (82047) * on Thursday July 31, 2003 @06:53PM (#6583750)
    In a previous job I've found Linux and BeOS
    desktop installations. While I was pro alternatives to Microsoft, there was the concern about security - e.g. open e-mail relays, unpatched servers. The company ended up with a policy of permitting Linux on the desktop, but not supporting it. If you had an application issue - you were on your own. The only users that ran it had a clue and we didn't run into issues. Being a research environment, Linux ended up replacing SGI systems as the scientific workstation standard.
  • Nope, not here (Score:4, Interesting)

    by canadiangoose (606308) <[moc.liamg] [ta] [mahargjd]> on Thursday July 31, 2003 @06:53PM (#6583751)
    Aside from my laptop and my desktop, we have no Linux desktops. I do network scans and such monthly, and aside from a few Linux-powered embeded devices, I've seen nothing interesting. Mind you, I work at a hospital. There are not very many technically inclined folks here.
    • I work at a hospital. There are not very many technically inclined folks here.

      That's a good thing. I'd hate to have my nurse worrying about incompatiblities with her Wireless NIC and her kernel.

      Or my surgeon trying to get First Post on a Slashdot story during my operation!
      So thanks for making their job easier and my hospital stays safer. Keep those systems up!

      ~Z
      • by Davak (526912)
        Sometimes I will post and read before performing a case. We have a terminal in our procedure room and it's common for people to email or browse the web as we are waiting for the case to get started.

        I honestly believe that most of the trolls on slashdot are hospital admin people. What the hell else do they do all day?

        Davak
  • by jgaynor (205453) <jon AT gaynor DOT org> on Thursday July 31, 2003 @06:55PM (#6583769) Homepage
    I wouldn't dare reformat a work machine with another OS. The feasibility isn't the problem - it's the wrath of an angry sysadmin that is. I would like to keep my job in this economy.

    I DO, however, frequently boot my machine with knoppix [knopper.net]. Most corporate IT environments prevent users from installing their own software - but Knoppix has pretty much every app I need. I sacrifice local file storage and some embedded data like PIM stuff, but its just more comfortable and doesn't raise the ire of the lesser IT geeks.
  • Does this count? (Score:5, Interesting)

    by AWrinkler (569169) on Thursday July 31, 2003 @06:56PM (#6583783)
    In the last infrastructure upgrade we did, all 60 machines were identical:
    FreeBSD 4.7, autostart XFree86,
    full-screen RDesktop to central Win2k Terminal Servers.

    User's still think they have a windows
    box(windows splash screen on boot).

    Does this count?
    • Re:Does this count? (Score:3, Interesting)

      by H310iSe (249662)
      How's the load handling (how many users per box, how big are the boxes?) Had any network/server problems that made the users scream when they suddenly couldn't do work even though the computer on their desk was working fine?

      Just curious, I did a big NT 4 terminal server install once and it was one of the more challenging times in my life. Hard, it was, and long. Win2k is supposed to be much better, but is it really worthy (stable, etc.) of a thin client environment?
  • by Anonymous Coward on Thursday July 31, 2003 @06:57PM (#6583792)
    i dont have you worry bout this. the people at my organisation aren't clever enough to send an email, let alone install Linux
  • Nope Not at all (Score:5, Insightful)

    by visionsofmcskill (556169) <vision@[ ]mp.com ['get' in gap]> on Thursday July 31, 2003 @07:03PM (#6583832) Homepage Journal
    Between Two semi-large internet companies and several smaller ones i have NEVER run into any non-IT unix/linux box amongst my users.... EVER.

    In truth beyond the server farms ive worked with at said companies the only person possessing any *nix varient has been myself (including mac os X...) While i can see this as being an occasional happening in dorkier companies... even then i find it not very likely.

    mainly because buisness use predominataly revolves around outlook exchange's shared meetings and various other stupid stuff.... in addition to the baseline ease of use (overall managerialy) network administration of an all windows environment.

    I would NEVER support a linux desktop distro amongst my users.... MAC OS X ... yes.... but not Linux for any reason on gods green earth... can you say nightmare? I love Linux.... but it just is NOWHERE near as streamlined as windows or macintosh... especialy from a support stance.

    My personal feelings are *nix for network devices.... Windows server/client for data sharing email and so on.... and Mac os X for end users who are more inclined towards media production (basicly people who arent finance/sales).

    This setup puts the *nix boxes in my realm... and id be greatfull that no unwitting user *accidently* installs another DHCP, DNS, SMTP, etc... server on my network. Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use.... or how to fix their freakin window manager because KDE offers 5 different programs just to change the layout/widgets.... no thank you.

    Of course this poster assumes that the people who do so, do so knowing people like myself wont support them... and more than likely will be highly un-happy with their network being potentialy compromised...

    not trying to spread FUD.... but ill wait for a tighter distro before i promote *nix on the desktop.... only one so far (with flying colors) is OSX.

    • Re:Nope Not at all (Score:5, Insightful)

      by 1lus10n (586635) on Thursday July 31, 2003 @07:20PM (#6583950) Journal
      actually your post is pretty much just FUD.

      firstly you wouldnt have to worry about them installing a rogue DHCP server if you didnt give them root. As a matter of fact dont even install KDE if you dont need it. you really must have no experience with modern desktop linux installs, otherwise you would have known that: "Id also be thankfull not to be asked how to make packages work correctly between KDE, gnome, X, or whatever else joe moron decides to use" is rather retarded since most apps work fine nowadays, Redhat has a unified desktop which makes the "visual" differance between kde and gnome moot, and redhat would support any other issues you have if you bought a support contract. same as with any other OS.

      as for streamlined management well you could simply run a local up2date server with cronjobs as neccasary, and run ssh locally on the clients so that when (and this will be very rare) there is an issue you can just ssh into the box and fix it.

      i personally work at an outsourcing company, 3500 employees and we have about a 20% linux desktop install, growing slowly. why ? ease of administration. you have a policy that states what IT supports (evolution, mozilla, gaim etc) and whenever somebody asks for help with something not supported you point and say "No". And the best part is you dont have to have someone running around constantly re-imaging all of those windows boxes....

      • The poster said people installing *nix on their boxes WITHOUT the knowledge of the sysadmin's... ME.... which would mean they could quite easily install a rougue DHCP server along with other nasties.

        Dont install KDE? For a user? are you expecting them to use X? or maybe the CLI? or should i dictate them to simply use my preferred manager? Once again... poster said these would be boxes i didnt set up.... so theyd probably install whatever they wanted. Support contracts are certainly cool... but even still.

        • " People who hold the above attitude are very BAD admins.... our role in general is to make people happy as best we can without going over-board."

          and my setting a "No" policy on unsupported software is different from a policy of "acceptable" software how ? someone is still saying no, i am not a hard ass, but i also have no reason to get some half shit mail client to work when evolution already does so.

          My entire post was based on the thought of "rather than being a flaming asshole perhaps you should
  • by MyHair (589485) on Thursday July 31, 2003 @07:06PM (#6583857) Journal
    I can see how security might be lax. When I was new to Linux I enabled everything whether I needed it or not. I figured I'd get around to playing with bind, sendmail and ftpd sooner or later. Everyone I know who's tried Linux has only dipped his toe in, so to speak.

    Now I know more and have played enough that I disable everything except what I need, make sure it's secure and then put up a firewall just to be sure. But heck, just the other day I realized I hadn't apt-get update'd and apt-get upgrade'd in a couple of months. Oops. I also had weak passwords until about a month ago.

    I'm in a non-tech company, and the Linux penetration is well below 1%. Only one desktop--a dual-boot laptop--as far as I know (except when I boot up KNOPPIX), but I have three rouge servers of my own. (Squid, Nessus, nmap and Snort are my friends.)

    I also have two Cygwin installs, but they're my workstations, not user PCs. Anyone seeing those on desktops yet?

    In this article the guy chose RedHat. If you don't care for commercial support, why would you choose RedHat over Debian or Slackware? Especially if security is a concern.
  • Live Linux CD's (Score:3, Informative)

    by niko9 (315647) on Thursday July 31, 2003 @07:06PM (#6583858)
    I wonder how many people boot Live Linux Distro's like Knoppix, and reboot into whatever is installed (NT, XP, Win2k)when they only really have to.

    As a ardernt Linux user, I would just change the BIOS settings to boot from CD first, and pop in Knoppix, or leave the CD-ROM tray empty when I wanted to use windows. No one in IT would need to know what I was upto.

    New York City 911 EMS: When you absolutley, positivley cannot call a cab for your toothache
  • by civilengineer (669209) on Thursday July 31, 2003 @07:10PM (#6583875) Homepage Journal
    and all our systems have rouge linux installs. Its true! ;)

  • I'm under the radar (Score:4, Interesting)

    by pz (113803) on Thursday July 31, 2003 @07:18PM (#6583937) Journal
    Where I work (part of Harvard University), Linux is definitely growing, but is a distant third behind Windows and MacOS. The IT department here is pretty strict about what they say you can and cannot do (kind of odd in an academic environment, if you ask me); as an example, one is not supposed to deploy ethernet hubs without seeking permission first. This just to give you an idea about them.

    I've been here 3 years. Last year and the year previous to that, all of the IT web pages said that the only officially supported OSes were Windows and MacOS, with a stern implication that that was it (and don't you think about using anything else, grrr!). This year, they've acknowledged that Linux exists, and are giving some support for it. The IT folks are at least aware of Linux now, a change for the better.

    Why is this happening? Because there are a few researchers (including me) who have installed Linux on their desktop/analysis machines, and are doing their own system administration. But, these users still need to fit into the global IT picture, for example, communicating with the email servers. As we have migrated from one email system to another recently, the IT folk have visited every single user (no, not kidding) to move their email system over. The fact that I was running Linux was not only no big deal, but they even correctly guessed which mail client I was using, given that I was running Linux. We are, slowly, winning.
  • by WillASeattle (661188) on Thursday July 31, 2003 @07:24PM (#6583985)
    would kind of count as a security risk in itself, wouldn't it?
  • by hoggoth (414195) on Thursday July 31, 2003 @07:32PM (#6584023) Journal
    > the 'official' penetration of Linux into the desktop market is something around 1%.
    > he may have stumbled on several times that percentage of desktop Linux installations.

    If this is true it would be really great for us at Slashdot because then we could brag about a higher Linux desktop market share to our girlfriends...

    No wait, that can't be right...

    Well anyway, he said "Penetration". That's gotta be good, right?

  • by cactopus (166601) on Thursday July 31, 2003 @07:35PM (#6584042)
    I am not a member of IT in my company... though heaven knows I should be... I work for a support organization and I'm a field service engineer (but not part of corporate IT), and they (IT) get in our way all the time...which is amazing considering they have no on-site personnel (3000 miles away in CA) and their only domain controller is an underspec PPro 200 with 128MB of RAM running Windows 2000 AS (yes it is always out of memory and functionally useless).

    As part of my job I set up the office G4 (OS X...which they thought was Linux... probably because of Smb) for training... I am in charge of Apple desktop support for our largest client in the area, an HP 9000 D class for my support of the 9000's in the data center (24/7 on-call), a Windows 2000 AS box for training (Citrix Metaframe XP, etc.) and the box I interface it all with... my Powerbook Pismo. I was told to shutdown and remove these from the network... they have a point about security holes and unauthorized access points...but I kind of chuckle because their infrastructure is very poorly built and my machines are 10 x as secure as theirs (case in point I run only SSHd for the most part and lock down everything)

    They decided to send us a switch and give us an external IP... (IP only after bitching that a lab environment is useless without an internet connection) which is fine except we can't use the local printers... so instead I built a NetBSD firewall and put everything us techs use behind it and then configured it to never respond to any outside services nor pings. So yes I have unofficial non-Windows and technically oriented OS's... and I had Gentoo Linux on my last laptop... but I probably don't count because I am an admin just not by job this time around (I've been director of IT before)
  • First thing I did (Score:3, Interesting)

    by Thomas A. Anderson (114614) on Thursday July 31, 2003 @07:38PM (#6584063) Homepage
    when I was promoted/transfered from help desk to engineering was add a 2nd drive and install linux on the box that came with the cube I moved to.

    Months later, I walked away after initiating an (infrequent) reboot. After making the rounds, I came back to an NT login. WTF I thought - then realized I'd set NT as the default in lilo in case someone needed to use the copmuter.
  • by Rinikusu (28164) on Thursday July 31, 2003 @07:41PM (#6584086)
    I killed my ISP access at home, so I need ways of moving new version of applications to my home machine without needing a network connection. While I'm at work, I download the latest .rpm's or tar files (or even Windows .exe's for my Win desktop). The problem them becomes, how to get them home? Well, I have a USB keychain device (128 megs, more than enough to hold stuff that I download, like blender (a hefty 2 megs)). The problem is, our IT "image" disables the use of removable storage devices, such as USB keychains. So, I just boot up my Knoppix CD, it automagically mounts all my drives, pop in the USB keychain and copy the files over, reboot back into Windows, done! :)

    We also have several Linux servers, but no desktops as of yet.
  • by Arandir (19206) on Thursday July 31, 2003 @07:46PM (#6584123) Homepage Journal
    I'm not running Linux under the radar, I'm running FreeBSD. I'm so much more productive with FreeBSD/KDE than with the mandated Win2K. Especially since the network is Solaris. (Why we're supposed to use Windows on a UNIX network is something I still haven't figured out).

    But IT doesn't know about it. I don't have their permission. But guess what? IT doesn't own this computer, my department does, and I got my boss's permission, his boss's permission, and the permission of the VP above him. I would have told IT, but then they would have a cow and it would become a big pile of political crap. But IT doesn't know, so they're happy, I'm happy and my boss is happy.

    I'm certainly not going to tell them about the development lab being switched over the FreeBSD, the Dicom lab running Mandrake, or any of the internal websites running Redhat and SuSE.
  • by BraveLittleHamster (662364) on Thursday July 31, 2003 @07:50PM (#6584148)

    After we began shipping a linux version of our main server product, I began to notice more and more linux desktop ( and cygwin ) installation on our staff systems. Now, even my project manager and the company owner have seperate or dual boot linux desktops that see significant use. All it took to get all this going was a few internal howto documents that walked them through a simple secure installation.

    This obviously couldn't happen in a more regulated atmosphere, but at small companies like mine you can often get away with anything you want so long as you continue to be productive and do not cut into the IT budget.
    BLH

  • where I work (Score:4, Interesting)

    by jafac (1449) on Thursday July 31, 2003 @07:59PM (#6584180) Homepage
    Company shall remain nameless for my protection -

    The home office has a special network security "swat team". Last year, they did a security audit of our site, which consisted of trying to hack into our network, from the inside.

    They found several rogue Linux boxes, and were able to hack into them through ftpd. Holy hell was raised. All Linux was purged from our network. Oddly enough, here it is, 8 months later, and nearly every developer has a second box on his or her desk, with, you guessed it, Linux. However, it's a distribution and configuration, approved and controlled by IT.

    It's all about control with these guys. . .
    You'd think that black leather keyboards with spikes and clamps would be popular with these freaks.
  • by hayden (9724) on Thursday July 31, 2003 @08:21PM (#6584298)
    "It's my network and anything that I don't know about gets trashed" blah blah blah *thumps chest*

    If you were actually any good at your jobs you should be asking why these people (who may or may not be risking their jobs) feel the need to install linux? What is it that the current policy doesn't provide? Why has sysadmin become so unapproachable that they did it without asking (this should be an easy one)?

    Actually do something useful rather than wandering around the network marking your territory.

    • Balls!

      First of all, I don't do desktop support--I work entirely on the heavy server end, and am fairly regularly calling the desktop guys for permission to install this software or that on my PC (if I have one--most of the time these days, a Sun box does everything I need).

      But any medium+ sized company will have a policy (and it's generally a blanket policy) about installing software without authorisation. This is a Good Thing, with a Good Reason: Companies are LIABLE for their machines!

      Install a virus o
  • Underground network (Score:3, Interesting)

    by Nucleon500 (628631) <tcfelker@example.com> on Thursday July 31, 2003 @08:45PM (#6584421) Homepage
    At the government lab where I work, Linux has penetrated much more than IT knows. We have an extremely braindead IT staff, and the five-year-old unpatched Groupwise servers simply don't work. The email system is completely bogged down with the viruses everyone trades. The people in my research group got fed up, so we finally just set up our own network. It's mostly Ethernet, with some patchy WiFi. The cables are hidden in PVC piping. This is a lab, so nobody notices when new pipes get put up. We have a few Linux servers doing mail, a website with a Tiki, Jabber, and a few other assorted tasks, as well as a bridge to the real network. IT has no idea, but I can't help feeling that in a few years, they're going to notice that all the scientists are using Linux.
  • by nurb432 (527695) on Thursday July 31, 2003 @08:56PM (#6584461) Homepage Journal
    While many here may think its cute, its a bad bad bad thing to have users running around installing an OS on your network with out your prior approval.

    Not cool.
  • by Angry Pixie (673895) on Thursday July 31, 2003 @11:04PM (#6585139) Journal
    So there I am in my cubicle playing my usual rounds of mental foursquare with three other cube-mates. One of them still refers to her desktop wallpaper as a "screensaver." One of the men passes corrupted floppy disks around with the glee of an idiot passing out used condoms; and the other still thinks no one can see him playing Solitaire. As for me, I routinely spill coffee and break the no smoking policy while clogging the email system with idiotic Flash movies...

    So who and where the hell are these marauding rogue agents running around installing Linux on office desktops. It can't be IS, they're too busy, and it can't be cube workers, they're afraid of their CDROMs!
  • by twoslice (457793) on Thursday July 31, 2003 @11:17PM (#6585199)
    Then I installed Linux at work on a spare server (supposed to be for DRP but what the hey!). The best part is that I set it up with PXE support. I have about 25% of the company running linux without touching their OS on their systems. Just set the workstation to network boot and presto Linux (similar to Knoppix). They like it alot better 'cause they are sharing a 2.8Ghz Xeon with 4GB of RAM. Most were used to PII300's. They can always skip the network boot and boot into Windows but they are doing it less and less now Especially since I have really cool games on the server =).

    I hope to have the whole company converted by christmas!

  • by Nishi-no-wan (146508) on Friday August 01, 2003 @12:04AM (#6585416) Homepage Journal
    The powers-that-be send out a questionaire twice a year to know how many licenses to purchase for what. In the questionaire, there is a question for primary OS and, if applicable, dual boot OS. The primary OS ONLY lists Win 95, Win 98, Win NT, Win 2000, etc. Secondary OS can be the whole MS lineup plus Linux and Sun OS.

    Running FreeBSD as the primary and only OS on three machines at work, I have a really hard time with these forms. What further investigation revealed (as I wanted to give them the CORRECT information despite their problematic form) was that their bonehead Access database required a primary OS from the list, with an optional secondary OS from the secondary list - no other options could be entered. So my three computers were registered as Win 2000 primary OS and Linux for secondary OS. Despite repeated pleas by me, we're paying Microsoft for three unnecessary liceses.

    What annoys me most is that when ever I say "FreeBSD," my supervisors always hear "Linux." They aren't against Linux (or FreeBSD for that matter) as it seems many of your bosses are. Linux is a keyword in marketspeak, so it's acceptable. When asked about why they hear "Linux" when I say "FreeBSD," I was told that the "Free" in "FreeBSD" makes it sound cheap (in quality) to administration and potential customers. Using it is OK, but not to the outside world (or department).

Machines that have broken down will work perfectly when the repairman arrives.

Working...