The Android connection
Linux servers are huge targets with undoubtedly more valuable data per machine than anything hackers could swipe from Linux desktop machines. Yes, there are Linux desktops in existence, no matter what your parents told you. Those folks might -- might -- have a legitimate argument that their numbers are too small to warrant cyber villain attention. But lest we forget, Linux has somewhat recently vaulted to the desktop and attached itself firmly to tomorrow's most popular computing form factor, the mobile device, with up to 80 percent market penetration, depending on which of us raving pundits you believe. From phones to smart wearables, Android is there, and it's a Linux derivative.
DeepFace? Really? With all your billions, you can't stop reading vintage comics long enough to hire someone with enough creativity to invent software names that won't give children nightmares?
Unfortunately, Android users and Google both seem to subscribe to the Linux-is-more-secure mythology. Google touts Android's design as a sandbox implementation that's isolated from the rest of the system as its big security advantage, but when users install software they're presented with a mostly binary operation: Yes, install and accept the app's access to your device, or no, don't install. That's not much of a security model.
Google's even argued that the security industry is exaggerating Android's threat levels in order to increase profits, which is a little weird coming from the King Solomon of the software world. Google did introduce a malware scanner in Android 4.2, and that's getting competition from third-party security software, but Google's made sure to limit their effectiveness with the aforementioned sandbox architecture -- which I'm sure has nothing to do with giving the NSA an easier time whenever they feel like hacking into your phone via Angry Birds. Google didn't even introduce remote wipe until last year!
DeepFace doesn't impress me at all, dude. It makes me want to get into DeepScotch with DeepDepression cultivating a sense of DeepForeboding and DeepDisappointmentwithYourEthics&SoftwareNames. For Pete's sake, step it up!
Your servers are sitting ducks
Alas, Windigo didn't attack Android, though I'm sure it could be modded to do so. It attacked servers, which I'd say is worse. Those machines were apparently weak on authentication, probably because admins were lulled by a false sense of safety, used easy-to-remember passwords, and didn't employ basics like two-factor authentication or antivirus. Like launch codes or wizard nipples, server authentication must be protected at all costs. If this is news to you, plenty of step-by-steppers and helpful tips are available for securing your box.
ESET is recommending that admins rebuild servers from the ground up. According to their research, the exploit has root access, so nuking from space is the only way to be sure. That's hard cheese to swallow for most server admins, but maybe it's the push those folks need to take off the blinders and wade into the sad security reality the rest of us are living in.
Damn DeepFace. Thanks Zuck, now I have a stress headache.
This article, "The Linux security spell is broken," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, follow Cringely on Twitter, and subscribe to Cringely's Notes from the Underground newsletter.