What will 2012 bring in terms of cyber-crime?

That's fine - that's not really the purpose. Open source lends itself to V&V, that's it. It does not inherently mean that someone has gone over the code. It does not inherently mean there is no malicious intent.

It just makes it much easier for the community to know.

 

Yes, indeed! I just think that lots of people get the wrong idea of open source VS closed source.

Open source has the advantages you mentioned. I agree with that. I also agree the projects on the spotlight can be trusted to be OK.

I trust XYZ well known open source projects, because they're on the spotlight. But, many people would trust a not well-known open source application, which is not under the same scrutiny as a well known open source project, over a closed source application that does the same, even though this closed source application is also on the spotlight and under scrutiny.

As you also agree (I think lol), there's a gray area that shouldn't be disregarded.

 

Sure, that grey area is there. People should understand that. People should also understand that as long as a project is closed source it's all a grey area.

 

Sorry to get back in this so late, but Hungry pretty much nailed it with his answers. Everything you mentioned using in Windows is already way too much just so a regular user can feel decently good about their system. The difference between Windows and Linux is that I have to set all that up in Windows to be "safe enough". In Linux, I install the distro, grab some programs from and only from the repository and by default I'm "safe enough". That right there is a big enough difference before we even begin to touch on the options Hungry mentioned.

 

Right, some things were mentioned, although some misconceptions from both of you, I'd say. Sorry, jusy my opinion based on my experience setting up Windows securely. It's not as difficult or weak as some make it seem.

Linux is certainly nice and secure out of the box, but what is it's market share again?

 

You folks can bet that the more common Linux becomes, the more user-friendly it will have to become and that will mean we'll see most of that default security having to be disabled/reduced, so that the masses get to use Linux just fine.

I'm wondering how many of these users would probably simply go root, so they won't have to use sudo whenever they need to elevate something?

We'd also see many sources to download applications to such operating system. Who cares about a repository, if what the user wants (or is made to believe that's what he/she wants) is not in the repository?

It's the same story all over again. If the user doesn't feel comfortable, then the user will make her/himself comfortable, won't they?

Argue all you want, but it simply doesn't matter the default security Linux has to offer you - the user is still the weakest link. As long as the user can disable all that or go around it, Linux is as weak as Windows. As I also previously mentioned, there's nothing Linux can do to protect the user against social engineering.

The few home users using Linux as of now are safe due to Linux not being widely used for home usage. Do you really think that if Linux was widely used and if I put some Jane or Joe in front of it and tell her/him to do what they do in Windows, that at some point they won't be hit? Think again.

 

What misconceptions?

Applocker is a whitelisting tool. Integrity is Windows MIAC. SRP is MAC. Linux provides a much better MIAC and SRP by default and instead of just "Setting to low integrity" you can restrict much more finely.

I much prefer using Windows and I feel "safe enough" with my setup. But between having a central software repository, open code with thousands or millions of eyes on it, and a fine tuned MAC policy Linux really is just more secure.

Not really. It's very compatible. Moreso than integrity levels, for sure, because developers/ users/ the OS can profile applications to ensure security and compatibility.

This would definitely be an issue. But software repository helps a lot with that, you simply give it sudo once and the repository handles the installs instead of giving each installer sudo/ root.

Yes, certainly. Except the goal of a repository isn't to just give a place to download, it also manages updates and security patches.

And if the user doesn't, they won't.

Yeah, actually. The difference between Windows and Linux is that with Linux I don't have to worry about some 0day kernel exploit from my Firewall giving access to my entire machine. All I have to worry about are applications tricking me into giving root.


Linux security isn't perfect. The defense against social engineering is "restrict the application" but that doesn't help if the user starts giving it loads of privileges. Repositories help as well, you can trust them and they'll keep things patched. Open source helps too, it's easier to trust a well known open source software and exploits will be caught faster.

Windows is certainly gaining but in terms of access control it's way behind. The app store and smartscreen will really help close the gap. Nothing's going to make up for closed source though - nothing's going to prove beyond a shadow of a doubt that Windows doesn't have backdoors they aren't telling us about, or is just written in an awful insecure way. The only way to truly verify that is to have a community audit.

 

You're probably right on a lot of those points, m00nbl00d. But as far as Linux becoming popular enough to be considered even barely mainstream, it's going to have to offer enough compelling reasons, besides ease of use, whiich has improved considerably with its recent "dumbed down" Gnome 3 GUI, to convert Windows and Mac users to switch, and until QA improves enough so that at least a few popular distros don't "break" unexpectedly and require above-average techncial expertise to fix, it will never get off the ground, so its security benefits are rendered irrelevent anyway until this happens, and maybe that's not until He∟∟ freezes over.

And what's wrong with the way AppLocker and SRP works in Windows? They perform their task perfectly well; Allow approved apps and deny unaproved apps. What more do you need, other than locking down the browser, running as Standard user, as well as a few other available hardening options available in the O/S? Why do you feel the "fine tuning" of Linux is even required to keep your setup secure? You're overcomplicating your perceived requirements for computer security, I'm afraid.

 

AppLocker is fine for a corporate environment, for users I don't like it but that's a separate conversation. You're right, it does what it aims to do.

SRP is ok. Again, it does what it aims to do, restricts applications to the user area.

Linux just does it better, more restrictions and more tools for the user to restrict further.

If I were over-complicating my requirements for computer security we'd see a lot more servers using Windows 2008.

It's fine that you feel secure enough on your computer. I feel secure enough on mine. Just understand that Linux is more secure, whether you think it's overdoing it or whatever isn't really the point.

 

Apparmor is no doubt a great security tool in Linux, but judging from this thread do you really think it's suitable for anyone to configure but those with expert level understanding? It's far more daunting than either SRP or AppLocker, and the one contributor in that thread who knows the most about linux believes it's overkill. I won't argue it's a great security tool, probably stronger than what Windows has to offer, but if something goes wrong because of a profile misconfiguration, best of luck fixing it.

 

My questions are:

Does the user have to necessarily download something from the repository? And, are the repositories mandatory for software developers to host their applications? If any of the parts of the chain break...

If a software I need isn't hosted at a repository... and if it's not a mainstream application... Also, the application doesn't have to necessarily be open source. Not everything for Linux is open source. So, if the distribution itself, on its own doesn't offer such using the repository, then I'll have to handle it on my own. Also, as we discussed before, being an open source application on its own means nothing, if we're talking about an application that isn't well known and there's no community of knowledgeable people putting it through rigorous scrutiny.

Again, provided the application is downloaded from a repository. I don't think it's mandatory for developers to put them there and users to get them from there. So, we could see this is as a potential hole.

What do you mean with that?

Are you saying there are no kernel bugs in Linux that could allow a total compromise of the system? Is Linux immune to such? (See this a honest question. )

You did like the idea of Windows Store kill-switch, aka backdoor. So, you don't trust closed source that much, yet you're OK with a kill-switch, that could very well be exploited by the bad guys?

 

Windows definitely makes it easier in terms of apparmor but there are plenty of simple commands. And loading profiles makes things much easier.

https://wiki.ubuntu.com/AppArmor

These are profiled sandboxes shipped with Ubuntu. No users necessary. No messy setup unless you're using something that isn't profiled in which case you can get the profile elsewhere.

Sure, it could be considered overkill. After all, no one's looking to infect linux users. But overkill or not it's still more secure. And if what you're looking for is security and nothing but security... use linux.

And as we see more applications moving towards sandbox approaches like IE and Chrome we're either going to see attackers start focusing on things that don't (Java) or kernel exploits.

https://www.cr0.org/paper/to-jt-party-at-ring0.pdf

 

-edit-

By the way, I'm not arguing - never was - about the benefits of open source, such as auditing.

But, even with such auditing, many bugs won't ever be found nor fixed by the good guys. Also, when fixing old buggy code, there's also a slight chance, even in open source, that the new code may introduce new bugs as well.

It would actually be interesting to come to a point where Linux, and well-known applications for it, become mainstream for home users and see what would come out of it security-wise, considering they would now get full attention from hackers ready to steal bank credentials - among other attacks - from users.

 

It is not an end-all be all solution. And it is certainly not a chain in which one applicaiton breaks all others. If I have 5 applications from the repository those are 5 applications that will be updated and patched without my interaction. If I have 5 others, I'll get those 5 others updated on my own. The weakness of my interaction has no bearing on how strong a software repository is.

In terms of socially engineered malware, yeah, maybe I'll get it from some 3rd party site. But if everything I need/ want is already in the repository, great, crisis averted and at the very least it makes things easier.

How is this a hole?

I meant "does." If you have your users comfortable in the setting you provide they will have no need to mess around with things. If you provide a software repository that consists of everything your average user will need than your average users will be far more protected. The fact that the software repository does not somehow solve every security solution doesn't really mean anything, it makes a big difference.

There definitely are. But the kernel, which is common to all distros, is looked at by everyone. It is heavily vetted and patches are made available sometimes within an hour of that exploit being found, ready to be rolled out by distros.

This is where open source is really helpful. You just have more eyes on a product, fixing and exploiting and patching and rolling out the patches.

Everything can be exploited by bad guys. I like Windows Update too btu that's just as exploitable.

It's a big benefit =p

Definitely. This is an issue with code in general. It is incredibly difficult (impossible?) to understand the full implications of code on a significantly complex system therefor even patches can introduce vulnerabilities - this has happened before on Windows that I remember.

The kernel gets plenty of attention. But yes, I'd be interested as well to see if the attacks change.

 

My point exactly.

The market share is of concern to those in sales and support and to shareholders. It doesn't concern me since I'm not earning income by selling/supporting PCs or selling/supporting proprietary software. I'm only concerned with lessening the chances of my being affected.

Actually, even though it's a bit meaningless since it depend on honesty, it would be helpful to know whether posters who vigorously espouse this or that stand to benefit if people follow their advice. Such disclosures are standard practice in financial markets.

Oh! And one more point... Even something that has a low market share can be superior. After all, doesn't Bing have a lower market share than Google? And isn't Bing superior? So why should I use Google just because it has a higher market share? How wrong is it to extend that analogy to the OS?

BTW, this is an interesting thread. I wish someone would write something similar for Firefox and Chrome.

 

My comment regarding market share was only to allude to the fact that hardly anyone is going to jump to Linux to take advantage of its security benefits.

I can assure you I'm not benefitting in any way, shape or form, especially financially, with my constant use-what's-already-built-into-Windows trolling

I don't know about Bing vs Google. As for O/S' Windows has - from my experience - far better QA from its developers than Linux, but I do agree Linux is probably better than Windows in security, as well as in some other areas, but no matter which Distro I've tried, something significant is guaranteed to break and cause untold grief trying to fix it. Mint 11, however, was close to amazing in my brief trial, and then they had to take a step backwards and follow suit with Gnome 3 crap.

Thank you

 

I wish I benefited financially lmao my life would be a hell of a lot easier if I actually were on Google's payroll.

Posting from Ubuntu

 

Alright vasa1, let me state this on a very clear way: I definitely don't earn anything from add-the-name-of-the-software-company-you-dislike-here.

But you will simply have to take my word on this, lol.