Re: Linux and security
From: David (davidwnh_at_adelphia.net)
Date: 07/31/03
- Next message: Johannes H. Ahlmann: "Re: Linux and security"
- Previous message: David: "Re: Firewall log"
- In reply to: Johannes H. Ahlmann: "Re: Linux and security"
- Next in thread: Johannes H. Ahlmann: "Re: Linux and security"
- Reply: Johannes H. Ahlmann: "Re: Linux and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 31 Jul 2003 03:59:13 GMT
This is true and probably why trojaned source or rpm's or windoze
installations packages are all a big "potential" threat. Up to this point
it has not been a widespread problem except for maybe those "daring" enough
to use Warez sites or p2p networks to get software. One thing I can say
when looking at all the Windows machines I have dealt with is that the
overwhelming majority of malware comes in via email and web browsing. So
the average home user, doing his/her normal tasks without using an account
that has administrative rights avoids 90+ percent of the problems. With
Linux the major risks are currently unpatched software and improperly
configured services. I generally try to put most of my efforts where the
current widespead threats are known to be.
>
> but people do (and more so will) want to install third-party software and
> if they can't do it as user they will become root to do it!
File integrity monitors can be a pita to set up the first time but take less
than a minute out of the day to check. I'm continuously updating my systems
but even on those days the origin of the changes indicated in a file
integrity report are usually obvious. I do agree they are not for everbody,
but for someone who is willing to deal with Linux configuration files,
compiling source, etc. it is not a bad way to go. At this point in time if
you want a secure Linux box that you can actually do something with you
still have to get your hands dirty. If not you will generally end up with
something no more secure than a Windows machine that can't do much more
than email and web browsing. A little over the top? Why do you think the
most popular Linux distros include rpm's for it. Why do you think they
include gpg and many open source developers sign their code? Why do you
think most of the new versions of Windows desktop firewalls include MD5
file integrity functionality? I dream of the day when all the Linux
security tools become less time consuming and easier to configure, but that
day is just not here yet.
> come on... this is a nice solution for a server and so forth, but don't
> you think that this is a little over the top your workstation? i find that
> quite a hassle. it sure helps against various threats but i for
> example run debian and tend to update my system in very regular intervals.
> so, i'd have a hell of a job to discern what changes were appropriate and
> what changes might imply malicious code...
>
How can you say something like tripwire is overkill and hard to use when in
the next paragraph you state you have "never used tripwire or similar"? I
would actually suggest Samhain w/ the Beltane web interface for a home
user. Another pita to set up the first time (as with many things in Linux)
but once it is up and running it is very easy to keep track of things.
Their is no sifting through millions or even hundreds of logs involved with
either program. That's the set it and forget it attitude which is useless
in any case. That's the same way of thinking as the Windoze user who
installs AV software, never updates it, then wonders how they could have
possibly gotten a virus. Then they reinstall their OS without finding out
why it happened....and get hit again the same way.
Nothing can guarantee 100% protection but you can better your odds by
learning how to prevent or at least minimize the damage of the currently
known threats. Most file integrity software does almost nothing to
proactively protect your system. But it will help you catch something
quickly if it is used properly. If you are lucky it can keep something from
delivering it's payload, but even if you are unlucky you have something
which will help you better configure things in the future.
>
> if you catch a virus by installing software then you gotta sift through
> millions of log-entries to see whether anything fishy happened. i've never
> used tripwire or similar and i think it's a great idea for very static
> systems that are not supposed to change, but with workstations i'm not so
> sure.
>
Certainly the files in one's home directory are most important. Good reason
to put a solid file backup regimen at the top of the list. And if you keep
your "sensitive" files on removeable media than most compromises are merely
irritating at most. Not viable for everone but there are resonable
solutions for everything.
You have to keep in mind that since virus' and worms that manipulate your
personal files are currently not a widespread problem with Linux, your main
concern often revolves around protecting the system files whose compromise
could allow someone else to access or download your data. That is why we
protect root and the system. Not because they are so important or
irreplacable but because they hold the "master keys" to the users' data.
You don't necessarily use file integrity software to track your data files
that are frequently changing. You put it on the executables that if
compromised allow someone else access to them.
> if the virus got to you by an application exploit, it is gonna go to your
> $HOME directory, which is the only files you should have write access to.
> and usually people tend to change many things in their $HOME - it's called
> work *g*. so here you gotta sift through thousands of logged changes
> again.
>
The true statistics are out there scattered about somewhere, but it seems
everyone who publishes them has an ulterior motive which leans to one side
or the other:) I take the 50/50 attitude because during any period of time
it could go either way.
>
> generally true, although many of the Open Source community don't like to
> hear it :-). but companies are no magical institutions!! there have also
> been several cases of virii burnt on application cds. that is a problem
> not so much of the code itself but its online distribution. debian still
> does not have its signature system running AFAIK and thus you have to
> trust it actually IS a debian server you are getting your whole system
> from :-))
>
I deal with all of my family's and friends machines (aside from those who
work in the field) and would have to say most home users don't have a clue
and really don't care. Remember we are talking about home use here not
business. If I didn't have other reasons to keep abreast what is happening
I probably wouldn't care either. I would simply backup my files and spend
more time at the local tavern.
>
>> "Real education" of the average computer user will never happen. Most
>> people don't have the time or interest to deal with it and will always
>> expect or believe that it is the developers or vendors responsibility.
>
> well, you could say the same thing for car safety, but most people take a
> genuine interest in maintaining their car safe (tire pressure, oil,
> regular check-ups, buckling up, slowing down when it rains heavily,
> knowing about braking distance, etc). this is partly due to legislation
> and police enforcement, but to a lesser extent due to people being
> informed about the dangers and how to deal with them...
A "drivers licence" to operate a home computer! You can't stand the thought
of sifting through logs to see why something happened, yet you're willing
to allow a bunch of politicians force you to obtain a "home computer
operators permit" so you can surf the web?
> if there was a "driving license" for internet computer use, people might
> be able to deal better with keeping their system SAFER and CARING about
> the integrity of their files.
>
Thats new info to me. I guess that's what happens when when they try to
commercialize something. You pay for the extra holes :)
> yep, look at lindows that promises to be more secure than windows and then
> runs root as only user!!!!
>
- Next message: Johannes H. Ahlmann: "Re: Linux and security"
- Previous message: David: "Re: Firewall log"
- In reply to: Johannes H. Ahlmann: "Re: Linux and security"
- Next in thread: Johannes H. Ahlmann: "Re: Linux and security"
- Reply: Johannes H. Ahlmann: "Re: Linux and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
