Gizmos Freeware Reviews  

Go Back   Gizmo's Freeware Forum > Freeware Forum > Linux

Reply
 
Thread Tools Display Modes
Old 19. Jan 2014, 04:14 PM   #11 (permalink)
Senior Member
 
Cthulhux's Avatar
 
Join Date: Aug 2013
Posts: 271
Default

Quote:
Originally Posted by MidnightCowboy View Post
Please explain how anything listed here will fill my Linux desktop with ransomware, steal my data or empty my bank account?[/url]
Welcome to the 21st century:
https://blogs.rsa.com/thieves-reachi...nux-inth3wild/

"Windows bugs" don't steal data or money either, it's always malware.

Quote:
Originally Posted by MidnightCowboy
Ubuntu and other Linux systems include security functions by default that are designed to save users from themselves.
So does Windows, with the exception of not having 23 years old security holes...
__________________
Hi. I'm new here.
Cthulhux is offline   Reply With Quote
Old 19. Jan 2014, 06:00 PM   #12 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 15,274
Default

You know, I was really hoping for a discussion here but all we're getting is the same old rhetoric but no evidence. Where are links to the reports that folks running Linux desktops have had their data stolen, been held to ransom or their bank emptied by Linux malware?

The Hand Of Thief Trojan thing has already been done to death but no one yet has been in the slightest bit inconvenienced by it.

http://threatpost.com/hand-of-thief-...imetime/102159
__________________
Buy a Hoover and prove technology sucks.
MidnightCowboy is online now   Reply With Quote
Old 19. Jan 2014, 11:08 PM   #13 (permalink)
Senior Member
 
Join Date: May 2010
Posts: 555
Default

The thing with software is that no-one ever knows how many bugs there are in it.

All that can be stated for sure is how many have been found.

When I did a study on testing many years ago, I deliberately seeded software with known (to me) bugs and then got various groups to test and find as many bugs as they could.

The percentage of the known bugs that they found along side the others gives a fair indication of how many unknown bugs there are remaining in the software.
Burn-IT is offline   Reply With Quote
Old 20. Jan 2014, 05:25 PM   #14 (permalink)
Senior Member
 
Cthulhux's Avatar
 
Join Date: Aug 2013
Posts: 271
Default

Quote:
Originally Posted by MidnightCowboy View Post
You know, I was really hoping for a discussion here but all we're getting is the same old rhetoric but no evidence.
"Linux is safe! Especially Ubuntu is! Windows is not!" (tm)

Yes, indeed.
__________________
Hi. I'm new here.
Cthulhux is offline   Reply With Quote
Old 22. Jan 2014, 07:33 PM   #15 (permalink)
Senior Member
 
sicknero's Avatar
 
Join Date: Mar 2012
Location: England
Posts: 657
Default

Some interesting comments and some ways of looking at it that hadn't really occured to me before.

It seems to me that in discussing the security of various O/Ss there are perhaps two aspects ... that of protecting the O/S from the user - the "human factor" and "saving users from themselves" - and that of how attack-proof an O/S is even in the most competent of hands.

As regards the first, I've never spent much time on Linux or Mac so I've no idea how intrusive or not they are about preventing users from harming their own systems.

Windows UAC has been pretty unpopular from the outset so while I personally think it's bad practise I can empathise to an extent with people who want to run a UAC-disabled system. I think a large part of the problem there is that Windows out-of-the-box has no easy means of whitelisting applications so if something requires UAC permissions then they have to be granted every single time you run the software in question.

While this isn't too much of a pain for, say, occasionally used software like registry editors and system tweakers it is a real pain if you want to autorun a program that needs UAC permission every time.

Likewise running a separate account with reduced priveliges for day-to-day use is good practise in my view but then it means I have to log into my admin account if I want to, for instance, enable or disable a system driver.

Personally I think it's well worth it for the extra peace of mind re; security but I can understand why some people prefer to take the risk of a more vulnerable O/S in the name of convenience. UAC and limited accounts are a great idea but arguably poorly implemented ... but then, I think MS are in a postition of trying to please two types of user with the result that neither group is particularly happy with the outcome.

I think in the case of Windows it's a trade-off between user power and user vulnerability. One of the things I really like about Windows is that you can do pretty much anything you like with it and really get stuck into the innards of it but, naturally this makes the system potentially a lot more vulnerable. So you either tolerate the annoyances of a self-policing O/S most of the time, or you disable the self-policing and run the inevitable risks.

Conversely I think this makes for fairly secure practise in the case of system admins who can set up systems for others to use and then be fairly certain that those users are less likely to be able to damage or weaken those systems.

Of course Windows users also have the option to employ various devices such as Sandboxie but I think that some of those most at risk - i.e. people who don't know and don't want to know how their O/S works - are at the same time the least likely to use such options. In the same way that anyone who needs to ask how to disable UAC is probably someone who really shouldn't be doing so.

I've tried in vain to interest family members in basic practises like sandboxing and drive imaging but I can see eyes glaze over as soon as the topic comes up : )

The shame is that practises such as these aren't at all difficult to use but I think they get tarred as "IT" and as such are negatively framed as something impenetrably advanced and complex.

I'm curious to hear from Linux and Mac users about how these O/Ss handle things ... is there any equivalent to Windows UAC and limited User Accounts? If so are they intrusive and annoying? If not, what happens if/when you do want to delve into the innards of your O/S? Are you even able to do so?

For instance, a simple thing like adding custom items to my context menu presents me with choices. Either I leave things the way they are and learn to work around whatever it was I wanted, or I download some third-party software to do it for me with the concurrent risks, or I learn how to open the registry and do it myself which of course requires that I'm able to open the registry in the first place as well as being prepared to jump through all the relevant security hoops required by UAC and limited accounts.



Concerning the second aspect, that of security in the hands of competent and careful users, i.e. deliberate targetted attacks against hardened systems ...

I can appreciate the point about why Unix might perhaps be inherently more secure but I think I still stand by my view that until it becomes the default choice of institutions like banks and governments then it hasn't really been put to the test. As Burn-It says, bugs can go unnoticed for a long time if they're never triggered.

I see that these topics still raise temperatures : ) Personally I have no axe to grind either way and am pretty unknowledgeable as regards my second aspect of O/S security. I can see and have read arguments on both sides of that one and of course many articles on the topic do have an agenda one way or the other.
sicknero is offline   Reply With Quote
Old 22. Jan 2014, 08:07 PM   #16 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 15,274
Default

Quote:
Originally Posted by sicknero View Post

I'm curious to hear from Linux and Mac users about how these O/Ss handle things ... is there any equivalent to Windows UAC and limited User Accounts? If so are they intrusive and annoying? If not, what happens if/when you do want to delve into the innards of your O/S? Are you even able to do so?
Linux by default runs as a limited account and users need to provide their password for functions outside of this scope. Some systems require two passwords, one user, one "root".

Additional security is included by default in many distros including SELinux, and in the case of Ubuntu AppArmor.

http://selinuxproject.org/page/Main_Page
https://wiki.ubuntu.com/AppArmor

One of the best security features of Linux is that all the software in their repositories is checked and certified. Of course users can install programs from outside the official repos and open themselves to risk. Third party repositories though are pretty well monitored by the community and anything amiss would soon be flagged. There have been just a few instances where official repos have had code compromised, so nothing is infallible.

http://security.stackexchange.com/qu...ries-is-hacked

Many businesses of course already run on Linux including most of the government and military establishment.

http://en.wikipedia.org/wiki/List_of_Linux_adopters

PCWorld published an article a while ago offering a few reasons (including security) why, in their opinion, Windows users should swap.

http://www.pcworld.com/article/20173...use_linux.html

Everything in Linux is configurable down to the tiniest detail. Many of these possibilities have already been documented and details are shared in the various forums.
__________________
Buy a Hoover and prove technology sucks.
MidnightCowboy is online now   Reply With Quote
Old 22. Jan 2014, 08:17 PM   #17 (permalink)
Senior Member
 
Cthulhux's Avatar
 
Join Date: Aug 2013
Posts: 271
Default

Quote:
Originally Posted by MidnightCowboy View Post
Linux by default runs as a limited account
Depends on the distribution. (Some don't even feature a root account anymore, others don't require separate user accounts.)

Quote:
Originally Posted by MidnightCowboy View Post
Additional security is included by default in many distros including SELinux
Made by NSA.

Quote:
Originally Posted by MidnightCowboy View Post
One of the best security features of Linux is that all the software in their repositories is checked and certified.
"Checked", but not for security holes. By the way, a good hack won't be recognized anytime soon.

And certified, oh well; certificates don't improve anything.

Quote:
Originally Posted by MidnightCowboy View Post
PCWorld published an article a while ago offering a few reasons (including security) why, in their opinion, Windows users should swap.

http://www.pcworld.com/article/20173...use_linux.html
Based on lies, mainly. I guess you know what to think of such.

Small remarks:

2. Mono is reportedly incomplete and unstable and will never reach .NET's progress.

3. "Rebooting after every patch, service pack, or driver change", uhm, if you change kernel drivers, Linux needs a reboot too. Also, I'm not sure if Windows has bad uptimes automatically. (And how is Linux related to Unix uptimes?!)

4. "Linux code maintainers keep Linux systems very secure", compared to Windows 98 maybe. But we already discussed this.

5. is very funny, as it basically says "Linux tries to be like Unix" - hey, why not use Unix then? I'd agree! (And I can control my Windows by keyboard, sorry to disappoint you.)

7. "Linux is free"? Wrong again.

A bit poor, that list.
__________________
Hi. I'm new here.
Cthulhux is offline   Reply With Quote
Old 22. Jan 2014, 08:39 PM   #18 (permalink)
Senior Edtor
 
v.laurie's Avatar
 
Join Date: Jul 2010
Posts: 1,380
Default

Quote:
Originally Posted by sicknero View Post



Concerning the second aspect, that of security in the hands of competent and careful users, i.e. deliberate targetted attacks against hardened systems ...

I can appreciate the point about why Unix might perhaps be inherently more secure but I think I still stand by my view that until it becomes the default choice of institutions like banks and governments then it hasn't really been put to the test. As Burn-It says, bugs can go unnoticed for a long time if they're never triggered.
But, Unix related systems are the choice of many banks and institutions and have been for years. Linux servers are used everywhere by business, government, major ISPs, you name it.. Google uses Linux in its search farms. Almost all mobile platforms use Unix related systems. Why this persistent notion that hackers haven't had ample reason and opportunity to test all sorts of Linux and other related systems?
__________________
Vic
v.laurie is offline   Reply With Quote
Old 22. Jan 2014, 09:04 PM   #19 (permalink)
Senior Member
 
sicknero's Avatar
 
Join Date: Mar 2012
Location: England
Posts: 657
Default

^ Yes, I'm afraid I'm guilty of accepting views without checking them out for myself ... MC's link to Wiki makes very interesting reading, I had no idea it was so widely adopted.

I went to check what O/S it was that Gary McKinnon hacked into (he being somewhat famous in the UK for it) - it was Windows but I remembered that he was only able to penetrate because of poor practise rather than actual vulnerabilities in the O/S.

"One of the best security features of Linux is that all the software in their repositories is checked and certified. Of course users can install programs from outside the official repos and open themselves to risk."

This isn't so disimilar to Windows where freeware sites have good or bad reputations and software can be certificated. I suppose one of the main differences is that there are no "official repositories" as such and that the availabilty of third-party Windows progs is much wider and so more open to abuse but this too comes down to user vulnerability rather than O/S I think.

Interesting stuff and food for thought.
sicknero is offline   Reply With Quote
Old 23. Jan 2014, 02:01 PM   #20 (permalink)
Senior Member
 
Join Date: May 2010
Posts: 555
Default

I autorun a program on startup that requires UAC in Windows. It is easy to do it using the task scheduler.

It is a program that automatically backs up the registry on the first start of a new date. That useful tool that used to be in the early versions of Windows but got dropped in later versions.

see http://www.larshederer.homepage.t-online.de/erunt/

Last edited by Burn-IT; 23. Jan 2014 at 02:13 PM.
Burn-IT is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT +1. The time now is 12:36 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2020, vBulletin Solutions, Inc.