security in ubuntu

Quote:

Originally Posted by Mrkvonic

Any services that listens on ports < 1024 must start as root in order to open the socket and then it can switch to another user, e.g. apache. Since cups listens on 631 by default, it must start as root. That's the basics.
Mrk

Gotcha, and to switch to another user it would have to use SUID which would be terrible practice, right? Cups on my computer has about 15 files associated with it. Here are the permissions for two of those files:

Code:

-rw-r--r-- 1 root root 4617 2011-09-27 09:16 cupsd.conf
-rw-r--r-- 1 root root 4737 2011-09-27 09:16 cupsd.conf.default

Which indicates that it is indeed owned by root, and is in the group root. It doesn't use SUID because if it did, there would be an "s" listed in this part: rw-r--r--.

I just learned about linux permissions (literally) yesterday so there's plenty of room for me to be wrong/misled. That's why I was looking for a source.

Quote:

Originally Posted by funkydude

Care to elaborate on how that statement justifies that response?

Yeah, sorry funkydude, that wasn't really fair. I should keep my mouth shut when I don't feel like elaborating. But HungryMan was right. When you say "Linux is more secure" it's a pretty sweeping generalization. A lot of folks think they're secure by being obscure which is just wrong- Linux is usually only obscure to the people that say that.

I will concede that on any given Linux desktop you are safer from viruses, drive-bys, and lots of automated malware out there because that stuff was generally written for Windows machines. However, that doesn't make you invincible. You can still get yourself owned by practicing poor common sense- download any old thing, open unsolicited email attachments, click on malicious link, blah blah blah. Browser exploits don't care which operating system you use, so neither Windows nor Linux are secure out-of-the-box in that regard. If you're running services on either Windows or Linux that you don't understand and haven't configured properly, then you're vulnerable on both operating systems.

All bets are off with any kind of server. It's all about the configuration. If a server is poorly configured then it will get owned, regardless of the operating system.

So my biggest problem with the statement that "Linux is more secure" is that it gives a false sense of security. It makes people think they're somehow immune and then they do stupid stuff (present company excepted of course).

Security is a process. You have to determine where your vulnerabilities are, what is likely to attack you, and then implement defenses that make sense. There are no short cuts.

[funkydude]

I never denied any of that, thought you seemed to miss the entire point of my statement, that it is more secure by default. I never said it was flat out secure.

Infact I pretty much explained everything in the sentences below that statement.

Quote:

Originally Posted by funkydude

I never denied any of that, thought you seemed to miss the entire point of my statement, that it is more secure by default. I never said it was flat out secure.

Infact I pretty much explained everything in the sentences below that statement.

Nope, you're right I did miss the entire point of your statement. I can fire up metasploit and own a default linux box and a default windows box. The more they're hardened, the harder it will be for me to own them.

Let's just agree to disagree, can we? I don't see this argument going anywhere productive.

[funkydude]

Quote:

Originally Posted by BrandiCandi

Nope, you're right I did miss the entire point of your statement. I can fire up metasploit and own a default linux box and a default windows box. The more they're hardened, the harder it will be for me to own them.

Let's just agree to disagree, can we? I don't see this argument going anywhere productive.

Again you're missing the point. You seem to be stuck thinking that I'm suggesting that Linux is somehow unexploitable... where did I suggest that? Why would you think I'm suggesting it's somehow immune to exploits?

I don't understand how much simpler I can make it, Linux is set up to be more secure by default, that's the ENTIRE reason it's more "difficult" to use in the eyes of the newbie. If you want a basic example, here's one: Default standard user in Linux vs default Admin with UAC artificially reduced privileges in Windows.

But I guess sarcastic responses are the best way to go when you don't understand something. I couldn't care less if you "don't want to argue", you were the one that spouted "facepalm" without reading my post.

[vasa1]

Quote:

Originally Posted by BrandiCandi

...
Let's just agree to disagree, can we? I don't see this argument going anywhere productive.

Very true because security experts take great delight in repeatedly pointing out the extremely obvious: that nothing is absolutely secure.

Quote:

Originally Posted by funkydude

I don't understand how much simpler I can make it, Linux is set up to be more secure by default, that's the ENTIRE reason it's more "difficult" to use in the eyes of the newbie. If you want a basic example, here's one: Default standard user in Linux vs default Admin with UAC artificially reduced privileges in Windows.

(Speaking as that newbie) perhaps the reason linux is more difficult to use in the eyes of the newbie is because you actually have to understand how the operating system works to use it. Compare that to Windows where everything is made to look easy, making newbies think they know how it works when they don't. I thought Linux was more challenging because it made me realize that I have to truly understand things like file permissions and TCP/IP protocol to set them up properly, and because I didn't have a paternalistic security program giving me a false sense of security. (Turns out you have to really understand the OS on windows too, but ironically I didn't know that until I started learning Linux).

Both Windows and Linux have done tons of things to increase security by default. But to meet my security goals, I have to do a lot more on both. So it's kind of irrelevant to me which is slighly more secure by default. Few people should stick with only the defaults. I rant about it because other people misinterpret statements like yours and think there's nothing they need to do.

lol

IMO people shouldn't need to become geeks or programmers or whatever to use an OS.

And Microsoft seems to be committed with a vision of technology that understands humans, not the contrary.

[Hungry Man]

Ubuntu's installer is incredibly easy. It handles everything for you and I think it's as easy to use as the Windows 8 installer, if not easier (while it installs it informs you on how to use the OS). There's even Wubi. Unity is incredibly easy to use as well.

I don't find Ubuntu more difficult to use at all. When I was new to it, absolutely, I simply didn't know the procedure. That doesn't mean that the procedure was worse, only different.

Honestly, I find it much easier to use. I like the shortcuts like super + W and being able to alt + drag windows around (my two most users) and I never have to worry about staying up to date because the system handles it for me.

AppArmor is dead simple to use, I'd argue it's easier than anything built into Windows because of its learning mode (it's literally only a matter of using a program to get apparmor to work).

But that's a separate topic entirely.

I'm sorry Hungry Man, but your opinion on this matter is very biased - you are a programmer, you already understand technology.

We need people that don't understand technology to give their opinions when it comes to "easy of use".

Microsoft does that kind of research everyday - and to a very large extent.

[Hungry Man]

Quote:

your opinion on this matter is very biased

Pot, kettle, etc.

Ubuntu's installer is clear and straightforward. I don't put up with hard-to-use operating systems. I dislike having to make my system work. I'm fine with tweaking, but fixing? No.

I really like the usability features. I hated moving to 11.4 way back when because it didn't have the keyboard shortcuts I wanted and Windows 7 did.

Unity 12.4 has those (windows + directionf or snapping) and more. It's the best UI I've used. It's very similar to Windows 7's UI except it's got 'expose' and alt dragging.

AppArmor requires no programming. SELinux is basically a language unto itself. I like AppArmor because there's absolutely nothing to it. Learning mode handles virtually everything, all the user has to do is answer the question "is it broken?" IF it is, complain, if it isn't, enforce. That simple.

Good that it works for you.

But my point is that I would love to see more profound user researches. Does Canonical make any of those?

Something at least comparable to this:
- http://www.microsoft.com/en-us/usability/types.aspx
- http://www.microsoft.com/products/ce...S/default.mspx

[Hungry Man]

Research into the what the community wants for a community driven project?

Quote:

Originally Posted by Hungry Man

Research into the what the community wants for a community driven project?

Of course.

[Hungry Man]

Seems a bit redundant to ask yourself what you want.

Quote:

Originally Posted by Hungry Man

Seems a bit redundant to ask yourself what you want.

Except that the community that drives that project (ubuntu) is a tiny part of a way bigger and diverse universe of potential users.

They need to reach that universe because their user base at the moment is almost irrelevant numerically (<1%).

That's just my opinion of course.

[Hungry Man]

Not super related but how do I report a bug for Windows? With Ubuntu all but the security bugs are handled publicly and anyone can comment and provide information. I don't know if Windows has a system like this.

I know of two "guaranteed" ways:

http://connect.microsoft.com/

Or

http://support.microsoft.com/select/?target=assistance

Another one would be via http://social.technet.microsoft.com/...us/categories/

[Hungry Man]

https://connect.microsoft.com/Visual...ll-screen-mode

This looks like it. Good to know, thanks.

[Mrkvonic]

Quote:

Originally Posted by guest

lol

IMO people shouldn't need to become geeks or programmers or whatever to use an OS.

And Microsoft seems to be committed with a vision of technology that understands humans, not the contrary.

Really? How do you check your ip address in Windows?
Is that for humans?
Mrk

[funkydude]

Quote:

Originally Posted by Mrkvonic

Really? How do you check your ip address in Windows?
Is that for humans?
Mrk

Type "my ip" into Google like I bet most people would do :p

Infact it's faster for me to load a browser and type "my IP" because DuckDuckGo will show my IP at the top of the search results instead of choosing a link.

...Assuming you're talking about public IP that is!

[Mrkvonic]

That's not the point. That's true for all OS.
How do you know your client ip address - simplicity in windows vs. linux.
Mrk

Quote:

Originally Posted by Mrkvonic

That's not the point. That's true for all OS.
How do you know your client ip address - simplicity in windows vs. linux.
Mrk

In Windows? Network status -> Details.

guest: I think you're missing the point. Linux has a steeper initial learning curve than Windows, and usually better default security, but in the end they both have the same problem - that real security requires more knowledge of the OS than is necessary for day to day use. Mandatory access control helps mitigate this, but cannot make the problem go away.

(Note BTW that I said steeper initial learning curve. Linux is pretty byzantine itself, but Windows is insanely complicated under the hood. Check out the exec() function family vs. the Win32 CreateProcess() function for instance.)

I'm not missing the point. My reply was directed at BrandiCandi's statement that "Few people should stick with only the defaults." I don't agree with that. IMO, it's the contrary: few people should change the defaults. And Windows makes this possible.