Shinook: Linux is not common in production environments, it's harder to manage and doesn't provide the same functionality in a WIndows environment that Windows systems will. The situation has improved over the years and it does show up, but it's not as common. If you are referring to embedded devices (e.g. TVs), then Linux is somewhat common, but it doesn't really change anything.
Actually, I was referring specifically to embedded devices.
Linux has the advantage of being free, more easily decoupled into its core (historically, Windows has had more bloat though they did address that to some extent with the latest server renderings) and customizable to suit specific needs (ex: Android and if you expand it to Unix in general, OS X as well).
Shinook: Linux is just an operating system like all the others, it's not an inherently "powerful OS" and despite what you may have been told, it's not inherently more protected against attack either.
I was not referring to it as the only powerful OS. Just one of the big ones that had countless man hours put into it unlike some of those limited features OSes that are created specifically for one device and then never seen again.
Shinook: For the average user it may be 'safer' to use since Windows malware won't run on it (for various architectural reasons) and malware authors haven't really found infecting Linux profitable yet, but if you are dealing with a targeted adversary like they thought they were, it's perfectly reasonable to expect them to have Linux bugs and malware. It's just an operating system like all the others.
Linux does have the advantage of being open which means that it doesn't rely on security through obscurity at all and which also means that when a security problem is found, you don't have to rely on one agent (Microsoft) to fix it.
Microsoft has been known to drag it's foot with patches for known security exploits in the past.
Shinook: As for recovery options, those are usually trivially infected, as the data is usually stored r/w on the local hard drive inside of another partition.
As long as the BIOS is not writable, you can boot from whatever media you like and wipe out the hard disk.
Shinook: The only way to guarantee non-infection is to destroy media and start over, the more you destroy the more likely you are to eliminate the infection. With the way hardware is today, it's not impossible for the hardware itself to be infected, either.
Well designed hardware either should not be infectable or 100% recoverable (you might lose data, but you'll have your device back in a pristine state).
They've done that with PCs forever. You don't need to buy a new computer each time you it gets infected.
If I get a PC that is like that, you can be sure that I won't purchase from this manufacturer again.
Shinook: That's not entirely accurate either, but it depends on the hardware.
Ok, so I can reprogram my mouse or my keyboard without opening it and changing parts?
Good luck with that.
Shinook: It's also worth pointing out that this was a policy decision, not a technical one. They didn't sit down and run through which piles of hardware to burn and which to keep based on technical specifications. They had a group of people that sat around in a room months or years ago and came up with a response plan, which calculated the cost of destruction vs. the value of the data on the systems. At that point, they determined what would be done, how much it would cost, and what the risk of data loss vs destruction of systems would be. The risk of destruction on a false positive was clearly acceptable based on the value of the data.
When they "found" the infection, the plan went into action and they executed on it. Again, not entirely uncommon depending on the value of the data.
They destroyed mice and keyboards. That speaks volumes about how well considered their policy was.
More likely, they had "one size fits all" policy and they mindlessly applied it to everything.
Shinook: Look at it this way, you go to the grocery store and buy some meat. A few hours later you see on the news that the meat could potentially be unsafe to eat and should be destroyed. You paid $10 for it, but it would cost you $10,000 in medical bills if you got sick. What would your response be? I hope any sane person would destroy the meat completely, sure it may be a false positive, but at the end of the day you know you won't be infected. This situation is no different, the numbers are larger, but I'd venture the margins are similar
A better analogy for that situation I find is:
Oh, there is a recall on the meat! I'm tossing my grocery bag in the gargage!
In fact, I'll throw away all the food I got at home (including those canned goods I bought a year ago) in the garbage and just to be sure, I'll thrash the fridge as well and buy a new one!
AndrewC: Having one of the sites of the company I work for go through a similar scrub, it's not as much about over-reacting. Problem there was more of a human one, as they found a couple of hardware keyloggers as well as software ones installed on random systems throughout the office.
After doing some math it came out cheaper to just trash everything and buy new than to have a security firm run a security scrub on both the hardware and software side.
That actually makes more sense if they had a saboteur that physically modified the hardware though in the case of the story above, I'm not sure if they had any indication that it was the case.
It read more like: "Oh, we have a virus, let's thrash all the hardware!" (as opposed to wipe everything back to factory state and review their admin policies).
If they do that every single time they have some virus infection, their operating costs will be prohibitively expensive.
