Using Linux for the wrong reasons

I rather think so, too. One of the reasons why I don't see a need for AV products on Linux, even for the newbie kind of user.

Yes, it can't "install" itself system-wide, and cannot modify important system files. So, there's certainly limits to the damage that can be done, but any data the user can write to is a free target. In this respect, it's the same as in Windows in a limited user account - can't infect the system, but can mess with the user's data.

True. Mandatory access control can do all sorts of things to mitigate exploits. "Problem" is, most people aren't doing it, because it's somewhat complex. And those most people then obviously don't benefit from it.

Noscript seems to be popular with security-minded people, and it does work for what it's meant to do, but most Firefox users probably don't even know it exists. MAC is getting into the "this is too difficult" range, even to many people who have more experience with computers than the average user. ASLR, DEP, memory hardening in general should be pretty troublefree and turned on by default, and that does help a lot.

In the end, though, it's rather clear that as long as we're talking default configurations, then neither Windows nor Linux is invulnerable against drive-by download style attacks. Of course, it's usually only Windows that anyone can be bothered to attack, since anyone who knows Linux exists tends to also know that people using Linux are on average far smarter about computers than the average Windows user is - and since it's always harder to attack the smart guy than the simpler guy, it's better to attack Windows. The lack of attacks in reality then creates the illusion that attacks are impossible even in theory, which is obviously not the case.

But, I digress. I agree with the original poster's statement that drive-bys aren't an issue on any OS, if the user knows what they're doing (that is, keeps software updated, preferably uses something that isn't IE for browsing, and changes a couple of settings so stuff isn't opened automatically in widely exploited plugins (like Adobe Reader).

 

That's all fine and dandy in an imaginary utopia.

But your statement of "I use normal browsers. And since I've never seen one, ipso facto, they do not exist. Use Firefox or Opera and drive-bys are something you see in the movies." leads one to the impression that you claim if you use a browser other than IE you are safe from drive-bys..and that's simply not true.

Your statement of "normal browser" puts it outside the "windows vs *nix" debate. Also that statement doesn't imply running a browser in a sandbox...as "normal" would define a standard install.

*The anti-virus may not know about this latest variant....in my case, NOD32, which is notorious for missing "PersonalAV" over the past year, didn't even put up a wimper. Fully updated.

*I was using Firefox, updated, only add-ons being status bar and Ad-Block Plus. The fake scanner for PAV jumped right up on the screen of my system. Luckily I recognized it right away, since I've cleaned it on hundreds of systems, and I knew how to shut it down in milliseconds.

*As it typical of many of the roque/fakealerts/scarewares, they hijacked a totally legit website to inject their drive-by code installer. In my case if was one of the pages of the United Auto Workers main website.....not some adult-XXX/cracked/warez sites.

 

Hello,

Context: Windows vs. Linux, exactly, switching to linux should not be prompted by malware. And yes using a browser other than IE makes you safe(r), especially the new users.

I did not talk about sandboxie, I was talking about browser design - Firefox, Opera run sandboxed - no access to system files. IE runs free. It's changing with protected mode on Windows 7 and such ...

Again, the fact you got a popup means nothing. It can be nothing more than a lovely, animated javascript. Seeing it is one thing. It doing something to your machine beyond flashing in front of your eyes and goading you into buying, clicking or whatever - is another.

Mrk

 

That's not a drive-by download, though. Those fake scanners are just animated images and javascript. You can watch those fake scanners all day long without being infected with anything. The actual infection happens either by
1) the fake scanner ultimately giving you a pop-up to install the rogue AV in order to clean all that imaginary malware from your system, at which point the user clicks on the pop-up, then gets a download dialog from the browser and then clicks run on that dialog to manually give the malware permission to download and execute to infect the system
or
2) the fake scanner attempting to exploit some remote code execution vulnerabilities in the browser and/or browser plugins to get the rogue AV downloaded and executed on the system without any user approval. The exploits of course won't work if you're using a browser and plugins where those vulnerabilities have been patched, or have disabled unpatched and vulnerable plugins like Adobe Reader's plugin for example. In this case, the exploit can do nothing, and no infection happens.

Of these two, only #2 is a real drive-by download, whereas #1 is just plain old social engineering, which, by the way, works on any OS if the user is gullible enough. In my experience, rogue AVs tend to most often rely on #1, although #2 certainly happens as well.

So, it doesn't really matter whether or not you see rogue AVs' fake scanners on any browser. The fake scanners themselves can't infect you. The infection happens either by fooling the user to approve the execution of the rogue AV, or by using an exploit to execute the rogue AV without user approval. The former is easily prevented by not being stupid, and the OS or software used doesn't matter at all. The latter is prevented by keeping the browser and plugins patched and the browser configured securely, or simply preventing the execution of untrusted files. There's many ways to achieve that on Windows, too, by the way. There's all kinds of software that denies execution of untrusted files, there's software restriction policies that you can use to do the same, Windows 7 has AppLocker, and so on. And if you wish, you can always just set file permissions so that the user by default has no execute permission on files created in browser cache folders, temp folders or if you want to go extreme, anywhere where the user can write.

So, again: whether you use Windows or Linux, you shouldn't be getting infected with rogue AVs from drive-by downloads. The technology to prevent it is there. Of course, the users may not have the knowledge to use it. The lack of knowledge makes those social engineering attacks work, and then one might keep in mind that such users would also be vulnerable to these attacks in Linux, if someone wanted to attack them and made a rogue AV for Linux.

 

This is an interesting article but I'm afraid the result is quite predictable. Instead of being taken as a serious attempt to inform people who are considering switching to Linux, it will be just another excuse to once more start the mantra of "Windows is just as safe as Linux." What a crock!

 

I don't quite see the "Windows is just as safe as Linux" mantra being uttered in this thread. Well, except by you, but you obviously didn't mean it, so that doesn't count.

Windows is not as "safe" as Linux. Obviously. The differences in default configuration (mostly stupid in Windows, smarter in Linux) are one factor that makes Linux safer out of the box. Another very significant factor is that Windows is in most home computers, being used by people who don't understand computers, while Linux isn't. But, none of that means that you can't be "safe" in Windows, or that you can't get owned in Linux.

So, instead of boring OS wars full of misinformation and flames, it might be more productive and reasonable for people to just concentrate on the facts, and educating the kind of user who doesn't know them.

 

But that's the problem. The "facts" are either so open to interpretation or so technically beyond the comprehension of the average user, that they can be totally misleading. They wind up amounting to FUD.

I know that there are very sincere people who want to make sure that users, both Linux and Windows, have the knowledge to make their computing experience both safe and enjoyable. I also know that there are posters who's only purpose is to obfuscate the issue. The only time you see them post in this forum is when the security issue comes up or when they can complain about something they perceive as a Linux failure.

IMHO, this forum is not the place discuss Window security issues at all. Even Linux security issues should be held to the bare essentials here. And the aim should be to reassure people that, with just basic precautions, their chances of suffering damage from malware is very, very remote.

That's why I think this whole thread should have been in the Windows forum and not here. After all, the article was aimed at Windows user thinking about switching. Not people who are already using Linux.

 

I strongly disagree with that. For example, the fact that remote code execution vulnerabilities exist in Linux software as well, and these could be used to create real drive-by download attacks, certainly is not open to interpretation. As another example, it is in no way open to interpretation that the average Linux distro defaults to wisely not giving users root privileges, while Windows has done much less wisely and made users admin by default, and now attempted to somewhat bandaid that with UAC. It's also not open to interpretation that there is tons of Windows malware out there, infecting loads of average users every day, but only a fraction of that amount of malware exists for Linux and doesn't present a major problem to average Linux users.

The stuff that is actually open to interpretation is the kind of stuff that isn't needed in the making of logical conclusions of the security situation of various operating systems. Sure, it's open to interpretation and further research how much malware would exist for Linux if Linux had 90 % desktop market share and hundreds of millions of uneducated users running it. On the other hand, if you understand the technology and motivations involved, it is an obvious fact that there would be far more Linux malware than there is now, even though it's impossible to accurately estimate the amount. So, you really don't need to know any accurate numbers of an imaginary future scenario to understand what the current threats are and what is technically possible to do.

Technical discussion does not mystically turn into FUD just because someone reading it doesn't understand it. FUD would be someone claiming that there's just as much Linux malware out there as there is Windows malware - that's an outright lie, and certainly falls in the FUD definition. But if someone states that a certain kind of attack is completely possible technically in Linux, I really don't see how that's FUD. Unless, of course, it's a lie, or claims that such attacks are done more often than can be reasonably proven. Otherwise, it's just technical discussion of the feasibility of some attack against some system, which is important when trying to evaluate the security of the system as compared to some other system.

Unfortunately for all security discussions, some users are extremely sensitive to anything said about their choice of OS that is not radiantly positive, regardless of how truthful the statement is, and will erupt in rage and vague allegations of dishonesty and bias at the first sign of someone saying something negative but true of "their" OS. For example, if someone dares to imply that Linux is a secure OS in a forum ruled by Windows fanatics, the Windows fanatics will loudly proclaim something like "but no-one should trust Linux since any evil hacker could create backdoors and stuff in the Linux code since it's open source!!!11!" and completely ignore any truthful argument presented that supports the idea that Linux is a secure OS. It is exactly these hypersensitive users that make security discussions very difficult, along with other problematic types of user like those who think they know what they're talking about but actually don't, the paranoid conspiracy theorists who genuinely see malice in absolutely everything from Firefox checking for updates to some web email service giving them a cookie, and of course the trolls who intentionally say stupid things to annoy people and disrupt discussion. If people could be less emotional about software, that would help discussion a lot. But it's foolish of me to hope that would actually happen.

While I know there are people who are out to flame another OS or piece of software just for the purpose of flaming and having an agenda, those people are a rather poor reason to forbid critical discussion entirely. And if someone only posts about security issues in some forum concerning some OS, there may be another explanation beyond desire to obfuscate things and flame the OS. The explanation could be that these people are only interested in discussing security issues, instead of other or all software issues, especially if the forum they're posting in is called "(some name) Security Forums." Calmly stating a fact is quite different from mindless complaining. And only discussing things that interest you is quite different from intending to obfuscate things.

I would find it odd if the All Things Unix subforum did not discuss security issues, considering this is Wilders Security Forums and the subforum is called All Things Unix, not All Things Unix Except Security.

I would leave it to the admins and the mods to decide what the aim of discussion should be: whether it should be general security discussion from simple to complex, or just preaching to newbies that a couple of security precautions will protect them well and no further discussion is worth anything. On that note, I'd say it would be ridiculous if every discussion had to be newbie friendly, as with some disclaimer attached to every post that concerns security that reminds readers that "There is very little malware for (some OS) and it's easy to protect against it by doing (some things)." So, whenever someone posts about a privilege escalation vulnerability, they would add in their post "But this doesn't really happen often at all, and it's going to be patched soon anyway, so we're all safe and everything is just perfect in the world." I'm perfectly content in the fact that if someone thinks the discussion should be more newbie friendly, they can come in and post a newbie friendly summary of the discussion, and I'm thinking many others share that opinion with me. In this thread, for example, a nice summary would be: "If you use your head, you can be secure in any OS. Still, some operating systems are attacked far more often than others and Windows is currently target number 1 for the bad guys. But if you want to do stupid things, then no matter what OS you use, eventually you may end up owned - even though it's less likely when you're not running the most attacked OS."

If anything, many people in this thread (like, say, the original poster, or me) have repeatedly stated that it's easily possible to be reasonably secure in any OS with the use of brains, even in spite of all the attacks that are technically possible. If that's considered FUD, then we're in a pretty bad place where everything except "there are no problems in the world and can never be" is already getting close to FUD and stating that some OS has some issue would already be obvious FUD... In short, the definition of FUD would be completely illogical.

But for this thread, I think it's natural that a Windows user looking to move to Linux would look in this forum for threads like this, instead of going through the Windows subforums where there are zillions of threads that don't refer to Linux at all.

Yes, long post.

 

It isn't? Give one, just one, verifiable example of this having actually occurred on someone's desktop computer. I've heard lots of scary stories about what could happen, IOW is technically feasible, but I don't know of any recent examples of it having happened on someone's desktop computer.

I constantly have people bringing me their computers to have malware removed. Not a single one of them was running Linux. And every tech I talk to in person or in ANY forum, says the same thing. So, if it isn't happening, why, if not to spread FUD, bother discussing it?

The proof is in the pudding. Any time "security" comes up in this forum, the post count skyrockets. And yet not ONE, I repeat, NOT A SINGLE ONE, gives an example of a current, verifiable, exploit. Again, if it isn't happening, why all the post?

 

No, it isn't. Has someone in this thread said that it has happened, and is happening? I myself certainly have not. So, if we're going to be rational, we are going to have to understand the difference between "technically possible" and "done all the time / in the wild." I haven't seen anyone get infected by a drive-by download attack on Linux, no. On the other hand, I know that creating such an attack is possible. Therefore, it isn't open to interpretation. Unless by that we mean "open to semantic debate that can freely ignore technical facts concerning the feasibility of the attack."

Before 9/11, many people believed a major (thousands of deaths) terrorist attack against an American city was so difficult to pull off it was practically impossible, and they believed this simply because it had never been done before. They believed this even when the facts and many experts suggested it was actually very possible. Now, people seem to believe differently for some reason. And yes, I know people who believed it was impossible. None of them believe that anymore.

Why discuss it? That is an extremely silly question to ask in a security forum! Perhaps because it's important and relevant to the topic of security that we are discussing on a security forum? That's my reason, anyway.

For example, if in some thread, someone claims that drive-by downloads cannot happen on Linux and can only be done on the "hopelessly insecure and just poorly designed Windows OS", what am I supposed to do? Lie, and say that they're correct, and drive-by attacks are fully impossible on Linux? I can't do that, as I don't feel like being a liar. The only option I can accept is saying that the attack is in fact technically feasible, and could be done if someone wanted to do it, but currently it's not happening because no-one skilled enough is interested enough to do it. That isn't FUD. It's just how things are. Then I'll probably say that even though it's possible, there's no reason for anyone to panic: common sense and certain security measures make you very near immune to such attacks, whether you're running Linux, OS X, or Windows for all I care.

You see, I don't like to give people a false sense of security. I recommend non-superuser accounts, for example, but I don't go around claiming that they solve all malware problems, and in fact I often state that there are various rather nasty things that a malware could do even in a non-superuser account so therefore it's better to just not execute malware, in any account. I use and like Linux, too. But I don't go around claming that it's immune to this and that, if it's really not. I can say that it's practically never attacked in this way or that when that is true, but I won't say something I know is wrong. As has been said: there are many good reasons to use Linux rather than Windows. So many, that there is no reason to make up false reasons, like Linux being somehow technically immune to certain malware that it really is not immune to. For example, some people regularly claim that viruses (and by this they mean the kind of malware that really infects other files and spreads thus, that is, real viruses) are impossible in Linux and OS X. I've "debated" with such people, and they're completely utterly 100 % resistant to facts. And they are doing a disservice to their own cause by spreading wrong information.

Linux is great. Linux is secure. Linux is free! You can do anything you like to it, you can remove all GUI stuff, or you can go fancy 3d with effects if you want. That is great. There is SELinux, there is AppArmor, there's a lot of ways to enhance security to ridiculously high proportions in Linux. So, why would anyone need or want to give the false impression that some attacks that are in fact completely possible on Linux are impossible just because they're not used in the wild currently? Where does this desire for misinformation instead of facts come?

If you want to impress people with the security of Linux, say things that are true. Like: "In Linux, users aren't automatically handed all-powerful privileges so that any user or malware can destroy the entire OS." Or: "In Linux, updating software to patch vulnerabilities is quick and easy thanks to package management." And yes, we can say: "There is very little malware for Linux out there. When you get a malware email, the executable it contains or links to is extremely likely to be a Windows malware that can't infect your Linux system at all. You don't even need an anti-virus product on Linux, unless you're either fantastically unlucky or fantastically foolish, or trying to filter Windows malware from emails or other data going to Windows systems." That sounds pretty impressive to me. There's no need for the false statements like: "Drive-by downloads are absolutely impossible on Linux, they're a Windows-only problem."

Because, just because it's not happening doesn't mean it's impossible. Further, if people know something nasty is possible, they can take precautions to make it even less likely that it will ever happen. I know I'm a pretty decent driver, but I also know I might get unlucky and die in a car crash just like anyone else. Therefore, I take precautions, like wearing a seatbelt and not driving too fast.

Denial is the big problem. You can't fight something that you refuse to believe exists. For me, personally, it's annoying to always read the same false claims over and over again. For example, the claim that OS X or Linux just can't get infected by anything because it's secure by design. Yes, that is a stupid claim, but some people actually believe in it and repeat it, even when the facts prove they're completely and utterly wrong. There are other claims that are much less obviously wrong, but still in fact wrong. If no-one challenges them, then misinformation begins to be taken as fact, especially by the newbies. If we're going to seriously attempt to advance the state of security in the computer world, we must deal in facts, not misinformation, even if the misinformation is the kind we really like, because it suggests our favorite thing is fantastically good.

 

I understand the difference quite well. I just feel that discussing the latter does more damage than good. In fact, quite a lot more damage. You obviously disagree. I guess we'll just have to leave it at that.

 

I could agree that it can do damage, depending on how it's discussed. And of course almost anything can lead to misunderstanding if the reader is careless or does not know much of the subject - or the writer makes a poor choice of words. But I think that's an inherent quality in discussion, and is not practical to avoid without stopping discussion entirely. Of course, we could only ever discuss current threats, but I think it's also important to understand what is possible, even if it is not done yet - this helps preparing for future issues. For example, if coders back in the old days had been able to anticipate that one day most everyone would be on the internet, where "trust everything by default" is a very bad idea, they would have made some very different design choices. But they focused on the current situation, where current threats were very different from what is around now, and that resulted in some problems that could perhaps have been avoided by thinking more about the future, instead of only concentrating on the present. But, I digress - we can surely agree to disagree, and I'll certainly agree to shut up, too, if our moderators require it.

 

I'm not asking that anyone "shut up." And I heartily endorse the idea that Linux users discuss future threats. All I'm saying is that, in a forum like this, where "newbies" are asking silly questions like "what AV should I use with Ubuntu on my home computer?" that we be VERY careful to couch the discussion in the proper terms.

I feel that the emphasis should be placed on the fact that, for the typical home user, Linux is safe OOTB and that discussions of how to "lock down Windows" are not appropriate here.

Personally, I feel that avoidance of malware is a perfectly legitimate reason to switch to Linux. But even discussing that here just opens up Pandora's Box and gives the opposition the opportunity to spread FUD.

 

Add Chrome/Chromium to that list as well. Actually Chrome runs in a true sandbox by default, unlike FF.

 

OK ... but Chrome is not yet mature enough ... so I ain't got much experience with it. Once it gets ready for Linux, I'll give it some more testing ...
Mrk

 

This is something I have thought about a lot lately and I still fail to see how messing with a user's /home directory is very beneficial to cyber fraudsters (the ones who write the sophisticated malware for profit). You can't install a keylogger without access to system files, so that's a no go. You can't steal Firefox passwords since they are encrypted. About the only thing one could do is create nuisance malware -- a simple script that does something like rm -rf /home. But seeing how easy it is to write such a script, it is apparent no one really cares to do it (or else it would have been done a million times). So what else is there?

Typically I would agree this is true, but some Linux distros are enabling SELinux by default. Fedora is a good example. The user doesn't have to do anything -- the Fedora devs keep the policies updated in case something breaks with an update, etc.

To change the subject a bit, I came across a security blog where the author recommended a LUA in Windows XP for security. The funny thing is he said "LUA's are controversial and many experts do not recommend them." I lol'ed. It's amazing that anyone could call themselves a security expert and *not* recommend a LUA.

 

Whether any question by "newbies" can be described by an individual as silly is of no importance to this forum or any other forum here at Wilders. All questions are permissible by whomever and We can only hope members willing to assist with "silly questions" would respect a member asking a question regardless of ones own personal characterization of said question. This is not a closed social club but a place for members to ask any question in this forum related to Linux as long as it adheres to our TOS.

Agree and will be and\or have been moved to a more appropriate forum.

Pandora's box can be a healthy thing and as it is with the Eset forum here, adding the name of another AV into a discussion is sometimes unavoidable and\or appropriate.

 

Of course anyone has the right to ask the question and I, for one, wouldn't imply the person asking the question was silly. Newbies ask silly questions all the time. That in no way implies that the person is silly

That doesn't detract from the point that the question shows that some people reading the forum can easily be mislead into to thinking that their systems are in eminent danger when they are not.

Somehow you seem to be reading malice into my post when none is intended. My animosity is reserved for those that intentionally use this, or any other forum, to spread FUD. Not those who are genuinely concerned with security and think discussing it helps the process.

 

Generally, I try to choose what I say based on what's discussed in the thread, instead of making every post an assuring declaration of the fine state of security in Unixland. If someone asks for the best Linux AV, I'm likely to reply that there is no best AV, and you don't need an AV on Linux anyway, even if you're just regular Joe User, because there is very little malware for Linux out there now. If someone asks simply whether they need an AV on Linux, I'll reply "no." When the topic is like this, I'll happily emphasize that Linux is pretty secure out of the box, and AVs aren't needed. Now, on the other hand, if someone asks something like "are viruses impossible on Linux?" or claims that "malware can't do anything in Linux anyway because it hasn't got root", then there's no reason for me to start preaching about how secure Linux is out of the box compared to some other operating systems. Instead of that, I'll just answer the question, like so: "No, viruses are not impossible, and in fact malware can do nasty things even without root privileges." Personally, I think that's more useful than ignoring such questions or giving incorrect answers to them. Of course, one can freely disagree with me on that. But, sure: if the topic is "recommendations for the newbie user" or something similar in content, I'll keep the technically possible stuff out of it and just say that right now, there's no need for bloated AVs and stuff if you run Linux, and there isn't anything to worry about in terms of malware.

But, again, I fail to see the FUD that has been spread in this thread, for example. In general, sure, I've seen lots of FUD in security discussions. And then I've also often seen ardent fans of some software or another raise the FUD card just because someone says something about their fave software that they don't like, even if it's absolutely 100 % true. So, my personal policy is saving the FUD card for statements that are untrue. If someone wants to emphasize different things than I do, that's fine by me - I won't call their words FUD or misleading into a false sense of security or anything of this sort, as long as what they're saying is true and can be proven to be so. But then, I've not been blamed for being subtle.

As far as reasons to switch to Linux are concerned, I'd rather have people switch to Linux because Linux is good, instead of switching to it because something else sucks. I certainly won't complain if someone wants to switch to Linux to avoid Windows malware - that'll work, obviously. But I think there are many better reasons to switch to Linux, and I also think Linux isn't a free pass to be foolish and act carelessly. Because things like phishing still work perfectly well no matter what OS you're using, if you're careless. Linux or Windows, if you're the kind of user who's going to believe a "convincing" looking email full of grammatical errors that asks you to click on this link to login to your online bank for some half-credible reason, you are going to be in trouble. So, I find educating users of what kind of attacks can be done and how to protect yourself from them to be more important than evangelizing about the safety of any software, even the kind of software that I really like.

In general, I prefer truth and fact. In OS and security discussions, often the Windows fans spout false statements about Linux and Linux fans hurl back claims almost as ridiculous about Windows, and neither side listens to those who actually have a realistic understanding of both systems and are just trying to dispel myths and correct false statements. The really fun part is of course the part where the fans of both systems join forces to attack those who try to inject facts into the mudslinging. It's not just a couple of times that I've been called a "paid M$ shill" and "blind Linux/OSS zealot" in the same discussion!

Well, there's a whole lot the malware could do. Just as the most obvious example, an attacker can not only delete files in the home directory, but also steal them - that is to say, upload, if they want. I'd wager that there are many people out there who have unencrypted files in their home directories that they wouldn't want to surrender to some bad guy's hands. Of course, if the malware is stupid or there are very tight firewall rules, this may be prevented. But if we assume a newbie user who moved to Linux because Windows has cooties, the result is likely to be "owned."

And Firefox passwords? There are loads of Firefox users out there who do not have a master password set or have a very poor master password, which means there's either no encryption worth anything protecting the passwords or that the password is easily cracked and the saved passwords easy to steal if a malware can execute in the account. Actually, as far as I know, Firefox by default does not require the use of a master password, which means the saved passwords are easy to steal - unless one is the kind of script kiddie that is fooled by any simple obfuscation trick.

Once you have the malware running in the account, you could also start tossing pop-ups with links to evil websites, for example, claiming that the system is infected with rootkits and you need to spend only $19 to buy SystemSafe AV 2010 for Linux to clean the rootkits away for good. IOW, rogue AVs would work perfectly well, and those are fraudster favorites right now. Of course, they'd only work on a foolish user, but that's who we're talking about here, aren't we, since a non-foolish user won't have these problems on any OS. That's the same as with the Firefox passwords: smart users will have strong master passwords, but less smart users will have no master password.

Previously, I mentioned spam bots and some DDoS bots. Those would work without root privileges just as well as Mozilla Thunderbird does. And certainly would be useful to malicious people.

So, there is definitely a lot more a malware executed without root privileges could do than just delete some data. And you don't have to believe me. You can try all of it for yourself and see, for example, what can be done with Firefox saved passwords when no master password is set, or the master password is weak. But I think that's enough OT from me.

But I don't like Fedora. But on a more serious note, yes, certainly, MAC can be doable for even the newbie if someone else sets it up for them. Otherwise, the answer is usually no in my experience.

My thoughts exactly! Least privilege should be one of the very first considerations in any security policy. I'm thinking the experts that don't recommend LUA are more concerned about compatibility with poorly made DOS-age apps than security, or perhaps they're going for extreme simplicity of use (admins don't have to enter passwords in order to do things like install software, and maybe the experts assume the users are not bright enough for things like entering passwords )

 

As per above quote.........

I'm a user of XP, Adobe CS4 and MS Office. Application wise is it worthwhile changing horses to Ubuntu? I hear voices whispering...... "oooooobuuuuuuuuuntooooooooo"

But haven't paid attention. So as per above quote, what would be factors calling for change??

 

in your case it isnt worth changing imo.

 

Unfortunately Adobe products will not work in Linux (some might work in WINE). The same goes for Office. However, many people find OpenOffice an acceptable alternative and many people find GIMP good enough to replace Photoshop.

Bottom line: if you must use Adobe or MS products, it is best to stick with MS. However, it wouldn't hurt to download a Linux distro and try it either from a LiveCD environment or from a VM.

 

At the moment there is no reason for you to "switch." But staying with XP or "switching" to Ubuntu are NOT your only options. The vast majority of people who use Linux have not "switched" but are using both Linux and Windows. (They just aren't paying for MS's "latest and greatest.")

At the moment, XP is doing what you paid to have it do. But it won't continue doing it forever. Eventually you are either going to have to pay more or find a free alternative. I would advise someone in your position to get the free VirtualBox software and use it to try Ubuntu and other Linux distros and to start learning what open source applications can take the place of ones you are now paying to use.

At the present time, only about 2% of users are using Linux and yet there is a free alternative to almost every application and the list is growing daily. As the user base grows, so will the applicantions.

I, for one, am very glad to have an alternative to constantly paying more and more money to MS and its cohorts.