[ubuntu-studio-devel] How wide spread is Linux spyware?

Ralf Mardorf ralf.mardorf at alice-dsl.net
Fri Jul 17 18:30:48 UTC 2015


On Fri, 17 Jul 2015 13:46:50 -0400, lukefromdc at hushmail.com wrote:
>When it really counts, I bring out the big guns by firing up
>Torbrowser.  

2 humans = 2² opinions

Regarding TOR a message from the Arch general mailing list from today
and regarding browser security in general, 2 mails from the Kubuntu
users mailing list, also from today.

Begin forwarded message:

Date: Fri, 17 Jul 2015 13:00:30 -0400
To: arch-general at archlinux.org
Subject: Re: [arch-general] current flash vulnerabilities - what to do?


On 17/07/15 12:35 PM, Ralf Mardorf wrote:
> On Fri, 17 Jul 2015 11:30:05 -0400, Daniel Micay wrote:
>> The Tor browser is quite insecure. It's nearly the same thing as
>> Firefox, so it falls near the bottom of the list when it comes to
>> browser security, i.e. below even Internet Explorer, which has a
>> basic sandbox (but not nearly on par with Chromium, especially on
>> Linux) and other JIT / allocator hardening features not present at
>> all in Firefox. What the Tor browser *does* have that's unique are
>> tweaks to significantly reduce the browser's unique fingerprint.
>>
>> https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study
>>
>> Tor would be a fork of Chromium if they were starting again today
>> with a large team. They don't have the resources to switch browsers.
>> That would only change if they can get Google to implement most of
>> the features they need.
> 
> Vivaldi is based on Chromium. How does Vivaldi compare regarding
> security and privacy to IceCat, Pale Moon, Firefox, QupZilla, Opera?
> 
> https://aur4.archlinux.org/packages/?O=0&K=vivaldi
> https://aur.archlinux.org/packages/?O=0&K=vivaldi

It's a proprietary browser built on Chromium. It's not interesting from
a security / privacy perspective.

If you want Chromium without Google integration then you can use
Iridium. It doesn't remove any tracking / spying code though. There
wasn't any to remove. Their redefinition of tracking just means support
for any service hosted by Google (like adding a warning message when a
dictionary would be downloaded from them). Most of what it does is
changing the the default settings to be more privacy conscious.

https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/log/




Begin forwarded message:

Date: Fri, 17 Jul 2015 14:49:01 +0200
To: Kubuntu user technical support <kubuntu-users at lists.ubuntu.com>
Subject: Re: Any alternative for the Firefox plug-in 'Adobe Flash
Player'?


Hi all,

On Fri, Jul 17, 2015 at 12:21 AM, Ralf Mardorf <kde.lists at yahoo.com>
wrote:
> On Thu, 16 Jul 2015 21:06:09 +0200, Bas G. Roufs wrote:
>>However, for WIndows users, this problem might be far more dangerous.
>
> Why should it be more dangerous for Windows users?
>
For the very obvious reason that a 0-day exploit is inherently more
dangerous on a less secure system, and Windows is by design less
secure compared to the *nix-based systems like Mac OS or Linux. 0-day
exploits can very very diverse, and the most obvious risk is getting
malware through such an exploit.

Regards, Myriam




Begin forwarded message:

Date: Fri, 17 Jul 2015 18:13:28 +0200
From: Ralf Mardorf
To: kubuntu-users at lists.ubuntu.com
Subject: Re: Any alternative for the Firefox plug-in 'Adobe Flash
Player'?


On Fri, 17 Jul 2015 14:49:01 +0200, Myriam Schweingruber wrote:
>For the very obvious reason that a 0-day exploit is inherently more
>dangerous on a less secure system, and Windows is by design less
>secure compared to the *nix-based systems like Mac OS or Linux. 0-day
>exploits can very very diverse, and the most obvious risk is getting
>malware through such an exploit.

The main issue with bloated browsers and crappy extensions such as the
one from Adobe is unrelated to the operating system. Most people
already offend their own privacy by simply typing something into e.g. a
Google search, already without confirming the search by pressing the
enter key.
They should start Firefox with e.g. Google, then launch Wireshark. As
soon as Wireshark hopefully only displays "Keep-Alive", they should type
and watch what Wireshark shows.
As soon as very risky extensions are used or very risky features
provided by a web browser and/or add-ons, the operating system isn't
much involved. The risk is more on a level compared to the risk of a
phishing website. I guess everybody understands that it doesn't matter
what operating system is used, when sending your banking password to a
phishing website. This is similar for a lot of security and privacy
issues caused by web browsers and their extensions.



More information about the ubuntu-studio-devel mailing list