More FUD about LINUX security

Discussion in 'all things UNIX' started by linuxforall, Apr 16, 2012.

Thread Status:
Not open for further replies.
  1. linuxforall
    Offline

    linuxforall Registered Member

    http://mrpogson.com/2012/04/14/more-fud-about-security-of-gnulinux/

    The truth is you are thousands of times more secure with GNU/Linux than that other OS. The count of malwares proves that. The incidence of malware infections proves that. The prevalence of GNU/Linux servers on the web proves that. The fact that M$’s servers are becoming more like GNU/Linux machines with time is another. Heck, M$’s 2008 server can even run GUIless and uses scripting. Where have we heard of that? Oh, GNU/Linux back about 1995.
  2. guest
    Offline

    guest Guest

    Security in Linux comes from not being user friendly, if you prefer.
  3. linuxforall
    Offline

    linuxforall Registered Member


    The other word for user friendly is DUMBING DOWN! :D but on the same note, Ubuntu is LINUX and its user friendly enough. Even hardcore Chakra is quite user friendly once one has an open mind.
  4. Hungry Man
    Offline

    Hungry Man Registered Member

    lol I guess by that logic BSD isn't secure?

    Oh, goodness.

    Even if Linux did run Oracle's Java (it runs OpenJDK) it, by default, runs in an apparmor sandbox. And configuring that sandbox further isn't difficult. The attacks on OSX would not have worked the same way on Linux. Even if you do install Oracle's Java VM it's not hard to sandbox.

    Linux is obscure in that no one's targeting users, but the kernel is absolutely not obscure, it's the most popular kernel in the world. There are plenty of eyes on it. It's open source, there are tons of companies supporting it with devs, there are tons of people supporting it... it's just "obscure" in the best ways lol incredibly well known but only ever targeted as a server OS.

    Plus the tools provided by linux are very powerful both for devs and users.
  5. NGRhodes
    Offline

    NGRhodes Registered Member

    Terrible rant, does not explain anything. Just a lot of unqualified statements.
  6. linuxforall
    Offline

    linuxforall Registered Member

    Linux is obscureo_O

    How when its used by majority of super comps and servers around the earth especially in mission critical areas where hacking is the name of the game on daily basis. Its not just Linux kernel but Linux in itself, to run the kernel, one needs LINUX last time I checked.
  7. Hungry Man
    Offline

    Hungry Man Registered Member

    I'm not calling Linux obscure. I'm saying that users running linux are rare (and therefor not targeted.) Servers running linux are not - and with Android the linux kernel is the most widely used kernel in the world. That means that you
    1) Linux users (not servers) are less likely to be targeted by mass attacks - little payoff and higher cost of attack

    2) The linux kernel still benefits from having tons of eyes on it

    I was trying to say that, for a regular user, this is the best of both worlds.
  8. linuxforall
    Offline

    linuxforall Registered Member

    Home users are low end targets for all, doesn't matter if they are running Linux or Windows, the meaty bit is corporate where funds can be transferred out or valuable data can be compromised to their benefit.
  9. Hungry Man
    Offline

    Hungry Man Registered Member

    The millions of Windows virus samples that target users would disagree with that conclusion.
  10. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    In my lexicon, it's called [noparse]TL:DR.[/noparse]
    Mrk
  11. linuxforall
    Offline

    linuxforall Registered Member


    Of course, thats a very profitable industry, the business of VIRUS ;)
  12. Gullible Jones
    Offline

    Gullible Jones Guest

    TL:DR

    Windows has stupid, stupid default settings (like USB autorun). So do most Linux distros (like Ubuntu's rampant use of sudo).

    Any large software project contains bugs, including security bugs. The Linux kernel is considered fairly unbuggy for something with 6 million+ lines of code, and it's still got huge numbers of bugs including remote holes. Things like the Xorg stack are less rigorously maintained, and may contain a vast number of bugs unknown to the maintainers.

    Even running as limited user won't protect you. On a desktop you're not much better off with a limited account; a subverted user account can still log your keystrokes, steal your data, and spam the infection on to other machines. Depending on the available bugs, stuff can even be hidden in userspace, without a kernel rootkit. (Also, there are always local privilege elevation exploits! Usually involving suid binaries.)

    There are a few things protecting you on Linux:

    - Linux is not a monoculture like Windows and OSX. Any two Linux systems can be wildly different in terms of installed software and default configurations, so worms and other autonomous badware are less effective.

    - Linux on the desktop has a tiny and mostly well-educated user base, so it's not really worth it to design worms and whatnot for Linux.

    - Linux uses repositories systems, making it easy to keep software up to date (and to use only known safe software). This is probably the biggest security advantage of Linux over Windows right now.

    Otherwise Linux is every bit as vulnerable, and mark my words, there will come a day when that vulnerability shows.

    As for me... I always enable iptables on Linux when possible. I always use a browser with Noscript or click-to-play, instead of unrestricted plugins. I figure those are enough for now, but I'm not kidding myself - at some point, they might not be. Linux is currently in the malware-absorbing shadow of two major monoculture OSes, and when it emerges from that shadow, things are going to get quite ugly, IMO.

    P.S. If you've made it this far, I should note that Windows NT uses ACLs *by default* instead of straight UNIX permissions - a vastly more flexible system, and vastly superior if used correctly. I don't know which distros use ACLs by default, but I know it isn't many of them.
  13. Hungry Man
    Offline

    Hungry Man Registered Member

    Yep.

    That, finely grained access controls, and being open source are what do it.

    I don't think things will get ugly. Social engineering isn't going to be nearly as effective when you get all of your software from a trusted repository. Exploits on linux aren't like on Windows - you can sandbox any process and any service on your own and developers can make use of incredibly powerful internal sandboxing.

    If you were to jump linux up to 100% market share today, yes, it would be unprepared. But it's secure as it is and if there were methods of intrusion for it that were reliable there would be methods of prevention thought up quick.
  14. NGRhodes
    Offline

    NGRhodes Registered Member

    Gullible Jones,
    What is wrong with Ubuntu's use of sudo ?
  15. linuxforall
    Offline

    linuxforall Registered Member

    Of course vulnerabilities show in Linux, more so than anything because of the fact that Linux is used in applications that are prone to attacks, thats the biggest advantage of Linux which gets trickled down to end users.
  16. funkydude
    Offline

    funkydude Registered Member

    Are you talking about for installing additional software or how the OS itself is developed? As I highly doubt any OS is developed outside of a repository environment. Merging code would be great fun!

    That is different from other operating systems, how?
  17. Gullible Jones
    Offline

    Gullible Jones Guest

    5-minute passwordless timeout, during which you might as well be running as root. Also, prompting for the user's password - a keylogger could steal that password and obtain root access.

    Installing additional software. Distros like Ubuntu put huge amounts of known safe software in their package repositories; GPG signing ensures the packages haven't been tampered with. Users are encouraged to use software from the repositories, instead of downloading it from random websites.

    Obviously such systems have... some issues, but they do make Linux a bit safer on the desktop.

    (Also, I should probably note that GNU/Linux itself is developed outside of a single repository environment - the kernel, core utilities, graphics stack, etc. are all developed in separate code repositories, by separate development teams, and eventually compiled and cobbled up into an OS. The whole userland is held together with duct tape and bailing wire.)

    The access controls in many distros (UNIX permissions) are less finely grained than in Windows NT (ACLs). I suspect it may be more a question of using existing access controls properly.

    (Personally I don't think being open source has anything to do with it, but that's open to debate.)
  18. Hungry Man
    Offline

    Hungry Man Registered Member

    I guess whereas Windows attackers can rely more on social engineering a linux attacker will try to compromise the system itself (difference between a user OS and server OS.)

    Not really. You can create chroot or LXContainers or make use of LSM or seccomp to completely control both file access and API access. Every Linux OS at least supports chroot, chmod, and lsm.
  19. Mrkvonic
    Offline

    Mrkvonic Linux Systems Expert

    A question - What keylogger?
    Mrk
  20. Ocky
    Offline

    Ocky Registered Member

    A pithy question. Awaiting GJ's answer. :D
  21. vasa1
    Offline

    vasa1 Registered Member

    Blessed are the patient, they shall inherit the land.
  22. NGRhodes
    Offline

    NGRhodes Registered Member

    No worse than if you were already logged in as root.

    Cheers, Nick.
  23. Gullible Jones
    Offline

    Gullible Jones Guest

    A theoretical one. Haven't heard of a userspace keylogger for Linux yet, but that doesn't mean it couldn't happen; only that it's not yet worthwhile to write one.

    I believe the correct way to do this is the method SuRun uses by default - to prompt the user without asking for a password.

    So far the only ITW trojans for Ubuntu have relied on social engineering. Usually along the lines of "Install this untrusted .deb package to get another pretty desktop theme!" IIRC. Needless to say they haven't spread very far.

    Normal Linux chroots are fairly easy to bust out of, IIRC, to the point that Linux developers describe them as "not a security feature" and discourage their use as such. LXC sounds a lot more secure, but I've yet to see any distro use LXC for anything by default, or include any simple GUI for using LXC.

    For ACLs on Linux you'd use getfacl and setfacl, not chmod. Windows equivalent would be cacls.exe (I think?). I have no idea if Windows does anything with POSIX permissions (does NTFS even support them?), but I know it uses ACLs all over the place, and most Linuxes I've tried do not.

    LSM... Yeah, I'll admit the various MAC systems are pretty powerful, but who puts them to serious use? Last I checked Fedora was the only distro that sandboxed its browser by default.
  24. Hungry Man
    Offline

    Hungry Man Registered Member

    Chroots by default are not meant for security, they're meant for ease of use/ testing software. The chroot bypass involves making use of chroot again while in a chroot environment. You can prevent this easily (it's actually built into some systems already iirc and it's been proposed for others - the developers definitely recognize it as a potential security feature.) They're not so much discouraged for security as it is that they are, by default, not for that.

    Ubuntu doesn't sandbox Firefox by default but it does sandbox multiple services without the user having to do a thing. It comes with quite a few profiles and creating them is simple. Can't say the same about Windows.
  25. Gullible Jones
    Offline

    Gullible Jones Guest

    I thought Windows 7 ran a bunch of stuff in low integrity mode by default, including IE? Also you can use psexec (from Sysinternals) to launch anything in low integrity mode (psexec -l), though some applications (unfortunately including Firefox) do not work that way.
Thread Status:
Not open for further replies.