Is Linux Secure or Vulnerable?

[caf4926]

@JohnBobSmith
Quite true

I just wish one of the scammers would call me.
Some people have all the fun

[wywer]

Dear JohnBobSmith,
Though you mentioned that you are no security guru,you are miles better than a busload full of them.Your post is a "SINGULAR" lesson in it's precision,common sense,user related threats and i salute your aptitude in picking up the one single security addon that really counts-NoScript Suite!Linus and i are friends because we agree to disagree! A peach of a post by you,JohnBobSmith!Have a great 2015 and peace!
warm regards--Wywerjet signing off (12/31/2014) 2015

[JohnBobSmith]

@JohnBobSmith
...
I just wish one of the scammers would call me.
Some people have all the fun

Yeah, I wish they'd call me too. I might have some fun with them.

Peace and best wishes in this new year,
JohnBobSmith

[DrM]

I think that Linux is indeed vulnerable for cross-platform Java and Flash scripts which are run in the webbrowser. A good idea is to check your Linux installation with Kaspersky's Rescue Disc which can be downloaded at [url]ftp://devbuilds.kaspersky-labs.com/rescuedisk/updatable/[/url] or Avira ScanCL at http://www.avira.com/en/download/produc ... -generator and http://www.avira.com/en/download/produc ... ner-scancl.

[wywer]

I think that Linux is indeed vulnerable for cross-platform Java and Flash scripts which are run in the webbrowser. A good idea is to check your Linux installation with Kaspersky's Rescue Disc which can be downloaded at [url]ftp://devbuilds.kaspersky-labs.com/rescuedisk/updatable/[/url] or Avira ScanCL at http://www.avira.com/en/download/produc ... -generator and http://www.avira.com/en/download/produc ... ner-scancl.

Hi DrM,
That's the exact reason why i praised JohnBobSmith's post as NoScript allows flexibility in controlling "Flash",highlighting and blocking"Java script" and to add,does prevent xss-cross scripting and click-jacking!Peace.
regards-wywerjet(paranoid Android)

[Hoser Rob]

There's an old saying in the computer world: the biggest security risk is between the computer and the chair.

I think people expect too much from Clam. It was never intended to be a general purpose AV program. It's really meant for mail servers.

People expect way too much from AV programs in general. The most important thing to remember about them is that not one of them really works. They will all pass some viruses. Reviews I've seen that claim x is better than y because one blocked 95% and the other blocked 93% are basically meaningless.

While I like the freedom from viruses Linux gives you that wasn't the main reason I installed it. Probably the worst thing you can do when it comes to security is to install some app (or even OS) because you think it'll make you immune. I know a couple of people who had their hotmail passwords hacked or phished. They can't understand what went wrong because they had Norton AV.

It's like a buddy of mine who's a programmer said. He never gets viruses in Windows. His friends who have small children get them constantly.

[wywer]

There's an old saying in the computer world: the biggest security risk is between the computer and the chair.

I think people expect too much from Clam. It was never intended to be a general purpose AV program. It's really meant for mail servers.

People expect way too much from AV programs in general. The most important thing to remember about them is that not one of them really works. They will all pass some viruses. Reviews I've seen that claim x is better than y because one blocked 95% and the other blocked 93% are basically meaningless.

While I like the freedom from viruses Linux gives you that wasn't the main reason I installed it. Probably the worst thing you can do when it comes to security is to install some app (or even OS) because you think it'll make you immune. I know a couple of people who had their hotmail passwords hacked or phished. They can't understand what went wrong because they had Norton AV.

It's like a buddy of mine who's a programmer said. He never gets viruses in Windows. His friends who have small children get them constantly.

Hi there Hoser Rob,
You are correct in saying that no AV is 100% good in "real time",heuristics,"catching virii in the wild" and "the frequency of updating the virus database" on one's pc!That is the reason why one needs a multi-pronged security setup to do his/her best in addition to"best practices" while being between the computer and the chair.Since Linux (Open Source) has not acheived the "celebrity status" of Win. & Mac,we are still stuck with a rudimentary AV like Clam!

I,being the OP of this thread,always had in addition to the "Best AV"( when i was using Win.7-years ago),which used to change once in 6 months to Once a year,based on the deductions of http://www.av-comparatives.org/for a bit of "relative objectivity"as i could not be "subjective'in advising my fellow windows seven forum members way back and the above site was relied upon by the true security professionals who mattered and i was definitely not one,yet benefitted from their insights in forums like techguy.org and my erstwhile haunt-- sevenforums.com!

The multi-pronged setup i referred to consisted of,in addition to the Commercial AV,A)SAS Pro,B)MBAM (bought),link: http://www.malwarebytes.org/products/ ,and C)SpywareBlaster.The interesting issue was the commercial AV,SAS Pro(SuperAntiSpyware) and MalwareBytesAntiMalware(bought ver.) all had/have "real time"threat monitoring capability! As you pointed out,no AV can provide a fool proof anti-virus"shield,the key word here being "virus"!Let it be Avira,Kaspersky, F-PROT,Avast,all claiming protection against Trojans(back door &front door) and the unending list of malware,they were,at best,good at viral detection.MBAM Free& Pro was specifically meant by it's developers to target Trojans and SAS Free & Pro was meant to be for Trojans,dialers,spyware and for detecting rouge security aplications! Thus an AV with real time ability switched on,MBAM (NOT the free) with it's real time on and SAS with SpywareBlaster(akin to Hosts file)was my mélange for securing the home pc,with the proviso "nothing is perfect"!

SAS has a portable version (and free at that)http://superantispyware.com/,which as is apparent can be d-l onto a pen drive and proved to be of real help when the Win.OS went for a toss and the installed (afore mentioned) security apps. could not be accessed or were compromised!Peace.
regards-wywerjet

[mike acker]

you guys get into a huge topic here

Note: I am writing this from memory based on my understanding of this mechanism:

Security starts when you press the <POWER> switch.
The BIOS checks out your motherboard, selects a boot device, reads record 0 and starts the operating system.

initially your chip is in REAL mode: no virtual memory, no memory protection, all i/o instructions enabled. Like a PC running DOS 2.0

next, the operating system must build the memory protection model as well as virtual memory support and then switch to protected mode.

once you go into PROTECTED MODE only the kernel can perform input/output instructions or allocate/free memory. this sets the stage for FILE PERMISSIONS. The trusted KERNEL programs will be running in the KERNEL address space and as such cannot be accessed by any application software running in USER mode. Kernel source files will all be in protected directories belonging to /ROOT -- which you do not (initially/normally) have (or need) access to.

this construction protects the operating system software from the activities of the application software which may be started. The init system will load a shell and then launch the GUI interface.... allowing the user -- you -- to activate application programs,..... Chromimum, Firefox, Thunderbird,..... what have you. these will run in USER mode. as such they are protected from each other. all their I/O requests must be submitted to the KERNEL as well as requests to allocate or free memory. Any kernal code loaded into user space will be placed on read|exec only pages so that the application program cannot modify it.

Remember: memory protection was activated way back when the CPU switched from REAL to PROTECTED mode. In PROTECTED mode an application program can access only its own memory,-- and this is enforced by the x86 chip concurrently with memory fetch access.... an error -- intentional or otherwise will end up in program abort.

the hackers' job is to violate this plan.... and it ain't easy. first he needs to get improper code execution; then he needs to get into kernel mode.

certain software seems to facilitate this; Adobe Flash being Public Villain Number 1 with nobody else even close.

there are other concerns

I just started using DROPBOX this week ( yeah, yeah, I know I'm 5 years behind the times here ). However: DROPBOX installs a DAEMON -- a running support process -- that monitors stuff in my /Dropbox folder -- and synchronizes that with stuff in my Dropbox "Cloud" storage. way cool,--- as long as that Dropbox Daemon is doing what it's supposed to*

this is why we love Open Source Software. I got the Dropbox Daemon from our "repository" -- which -- we hope -- and work to insure -- contains TRUSTED programs. I'm OK with this as I trust the Linux community. But it really gets us to the bottom line in security: how are you vetting the software you are putting in your system?

Linux gives us the tools to control what we are putting into our systems -- some other systems fail in this regard. and that -- is why I run Linux.
~~~
*if a hacker were able to alter or replace the Dropbox executable he could then do anything he wanted with all the data on my system. One of these days I'll get back into Apparmor. Apparmor would allow me to confine Dropbox to accessing my /Dropbox folder only.

[xenopeek]

There is a difference between BIOS and UEFI for above. CPU reset switches the CPU to real mode and from there loads the BIOS or UEFI from fixed address in ROM. BIOS continues to run in real mode, loads the boot loader from MBR, and hands off control to the boot loader still running in real mode. UEFI on the other hand switches to protected mode within the first few instructions, loads the boot manager from the EFI system partition ,and hands off control to that in protected mode.

[skywolfblue]

It's never completely safe. But I've never had anyone seriously suggest that windows is more secure than linux.

Linux/Unix were designed with security in mind. (Big corporations wanted stable and secure multi-user OSes for their servers)
Windows was designed very much without security. (In a simple let-the-user-do-everything manner) Since then they've had a headache trying to crowbar stuff on to an OS that just wasn't made for it.

...And it shows.

[mike acker]

There is a difference between BIOS and UEFI for above. CPU reset switches the CPU to real mode and from there loads the BIOS or UEFI from fixed address in ROM. BIOS continues to run in real mode, loads the boot loader from MBR, and hands off control to the boot loader still running in real mode. UEFI on the other hand switches to protected mode within the first few instructions, loads the boot manager from the EFI system partition ,and hands off control to that in protected mode.

Thanks for the update! I appreciate it-- very much.

At Newegg it seems most new motherboards support UEFI. and this is a good thing: the concept is to check the digital signatures on the key O/S components before allowing them to load. Hopefully then when the O/S takes control we are reasonably assured that it is running clean at that point,-- and hence able to protect itself from that point on. with this in mind, when I build my next system I need to be sure that the motherboard (ASUS M5A99FX?) will recognize the O/S I want to install -- or -- can switch to "standard BIOS boot. This is not an issue at present: the box I am using now runs fine.

As admin on my box I can install what I like. It is therefore incumbent upon me to do my part: vet or verify any software before I install it.

[niowluka]

Apparmor would allow me to confine Dropbox to accessing my /Dropbox folder only.

Apparmor for Dropbox. Isn't that a little... extreme ? You can achieve that with right permissions.

This subject keeps on popping up, but in my opinion, in Linux all you have to do is
1) keep your system up to date
2) keep default settings unless you know what you're doing

This is perfectly fine for a home desktop system, or even small home / neighbour network.

[/dev/urandom]

But I've never had anyone seriously suggest that windows is more secure than linux.

Well, I do. Technically, Windows has left the Windows 98 days behind for a while now. And don't forget about mitigation mechanisms: Why does Linux still have ASLR, DEP, SEH etc. disabled by default while Windows actively uses them?

Linux/Unix were designed with security in mind.

Wrong.

Unix was designed with multi-user systems in mind. Linux was - if at all (cf. the book "Just For Fun" by Linus Torvalds) - designed with being a no-cost alternative to Minix in mind. None of them were designed "with security in mind".

But then again, you could say N-Ten (later "Windows NT kernel") was.

Windows was designed very much without security. (In a simple let-the-user-do-everything manner)

Feel free to upgrade your Windows 98 installation to an NT-based system.

[niowluka]

Linux/Unix were designed with security in mind.

Wrong.

Unix was designed with multi-user systems in mind. Linux was - if at all (cf. the book "Just For Fun" by Linus Torvalds) - designed with being a no-cost alternative to Minix in mind. None of them were designed "with security in mind".

Multi-user environment implies security. If the system is designed to work in multi-user, networked environment then security is paramount, and that's always been the case with Linux. For windows, as been mentioned, it was something included at later stage, once more and more systems were connected to internet. For Windows security is an effort, for Linux it's just everyday life.

[/dev/urandom]

Multi-user environment implies security.

Wrong again. Even old Windows 9x had multi-user capabilities. And close to no security for them.

[niowluka]

Multi-user environment implies security.

Wrong again. Even old Windows 9x had multi-user capabilities. And no security for them.

Well, there you go, need I add more...

I think it just adds to the argument that Windows designers did not expect those capabilities to be utilized much.

[mbohets]

By the way, should you ever get a call from any call center/scammer guys, and he asks what OS you use, tell him you use Gentoo Linux or some other hardcore *nix and record the reaction.

Or even better, Linux from scratch

[/dev/urandom]

Well, there you go, need I add more...

Yes, please.

I think it just adds to the argument that Windows designers did not expect those capabilities to be utilized much.

See, the Unix designers (nor Linus Torvalds) neither expected large amounts of malware when they designed their particular system. Now what does that tell you?

Of course you can try to fill the awkward silence with a couple of and - that doesn't make your implication right whatsoever.

Or even better, Linux from scratch

LFS has the same issues as all other Linuces: A broken kernel.

[niowluka]

Yes, please

Having capabilities and being target operating model are 2 different things. If you are designing a system that you expect to be used by hundreds or thousands of users, then security must be at it's core design. If you are designing a system that you expect to sit on it's own in a room, and be used by one person, their partner and maybe neighbour, then security will be rudimentry.

[/dev/urandom]

If you are designing a system that you expect to be used by hundreds or thousands of users, then security must be at it's core design.

You might have forgot that Linus made Linux mainly for himself. How is that relevant to the topic?

But - even better - you could also try to answer my questions about mitigation technologies.