A lesson in Linux: Eating one's own dog food
There is an old saying in the Linux community (actually in just about every community - but I heard it from a Linux developer first) "eating your own dog food" (or the shorter "hipster friendly" version dogfooding. This basically means using the product you create. It can also be associated with practice what you preach. Sometimes this ideology sneaks up behind you and stealthily bites you on the bum. This recently happened to me...and I thought I would share the experience with you to illustrate that user error is best way to an insecure Linux installation.
I relay this story not just as a "silly me" anecdote, but more to illustrate an issue so that Linux users will also use the same type of caution any user of any operating system should use when said operating system is on line.
Allow me to set the stage
This whole ordeal happened because yours truly neglected to shut down (or secure) a service I covered for Ghacks a while ago. The article in question was "Vinagre remote desktop connection for Linux" which is a means to remotely connect to and manage a Linux desktop. Very simple. Very innocuous - or so one would think. Let me, instead, change your mind.
The other evening I was working on an article on a very different aspect of Linux, when all of a sudden my desktop started acting a bit odd. This is very much out of the ordinary as my desktop never has any problems. Odd windows were opening up, the cursor was jerking around...I bet you can see where this is going.
It didn't take very long until Vinagre opened up a small window to inform me that another user had logged onto my desktop. Very strange, seeing as how I was the only one in the house who could even recite what the acronym RDP stood for. So something was afoot!
I quickly shut down the remote desktop server and started checking around for any signs that my culprit had found anything of use. Fortunately he (or she - I am, if anything, PC and think a hacker can be either male or female) managed nothing before I knew what was happening.
After this happened I went back and checked into why this was allowed. To my dismay I discovered that, after writing the article, I had left the remote system set up so that anyone could connect to my desktop WITHOUT a password! Yes, I did this to make the writing process more efficient - but usually I go back and close those holes. This time around, I didn't...and nearly paid for it.
As soon as my lapse was realized I quickly fixed the error and then made sure my firewall was blocking any RPD (or VNC) traffic coming from the outside world and then made sure my router hadn't been compromised. Since that incident, nothing had happened but my personal dining of crow and humble pie.
The lesson
Here's the thing - allowing for remote desktop access is crucial in many situations. But making sure these connections are not open to just anyone is even more important than simplicity. When you are setting up these sorts of holes in your system, even when using Linux, make sure those holes can only been penetrated by known, friendly users. If not, you open yourself up to a world of possible bad issues. I have learned my lesson here - always go back and shut off (or uninstall) services that will not be used after writing about them!
Linux is a very powerful, secure operating system...but it's not 100% (nor is any OS). This is especially true when the user (or administrator) is careless in the setup of the system. Alway use caution and do NOT rest on the reputation of an operating system. If that operating system has a live ethernet cable attached it is vulnerable.
Advertisement
For a personal HowTo that I was writing, I also left open SSH port 22 with a very insecure username and password. I too was compromised at that time and ended up reinstalling my whole Debian OS. It wasn’t at all the system that was insecure, it was the way in which I had managed it. It was certainly a learning experience, to say the least!
This is very true in all computer security issues. The user is the weakest link. I’ve always been amazed at some of the security measures that get disregarded. For instance, why give users the ability to save their password. I know it’s convenient, but it’s also convenient to not have a password at all. Security isn’t always convenient. As a side note, knowing this, I still save my passwords. The option is there so I take it. I’m just as bad as anyone else at this. I just think that it’s strange that there is always a “save password” or “remember me” option.
How can you be sure no other hacker ever happened to connect to your machine and do something malicious while it was turned on but you weren’t sitting in front of it?
The lesson should have been ‘Never ever use your productive machine to fool around with.’