Security with Linux - Newbie

[Eric Dunbar]

On Tue, 08 Feb 2005 08:33:10 -0500, Joshua Lee wrote:
> On Mon, 2005-02-07 at 17:06 -0500, Eric Dunbar wrote:
> > On Mon, 07 Feb 2005 16:03:07 -0500, Joshua Lee <yid> wrote:
> >
> > > Viruses are rare because Linux isn't a hospitable environment for them.
> > > Spyware is impossible. Some forms of vulnerabilities exist on both
> >
> > That's a little bit of a stretch -- there's little reason to believe
> > that spy ware won't start to pop-up for *nix once it proliferates.
> 
> If you understood how spyware works you wouldn't say that. It depends on
> "features" of Internet Explorer and the Windows TCP/IP stack, among
> other things, that don't exist in *nix.
>
> This is Bill Gates' argument - he says that the reason why Windows is
> more insecure than Linux is because of its popularity, and if Linux
> becomes popular it will be as buggy and insecure as Windows. That isn't
> the case. The amount of security problems with IIS is much greater than
> the open source web-server Apache even though Apache is more popular
> than IIS. The reasons are architectural.

With all due respect (I ain't no programmer), I do believe that
spyware has just as much potential, IF NOT MORE for *nix as for
Windows. Many of the utilities are already built-into a system, and,
with some creative work a sneaky programmer could dupe a user into
giving them perpetual access (root/super user password(s)) to the
computer.

This "virus" scare for OS X is more appropriate as a spyware scare. A
creative programmer could be grabbing your every keystroke as you
type, compromising accounts everywhere, including your own root
account:
<http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1019129,00.html>
<http://www.macintouch.com/opener.html>

The common element in all of this is that a root password is required,
but, to install software a password is usually needed anyway so that's
not a hard thing to come by. As such enterprises as Kazaa start
finding a large enough a user base on *nix (i86 variants since they
can be binaries) to warrant developing apps for, they'll also find a
mature and varied field of "snooper" and server apps that they can be
coopted to either "spy" on you (whether for passwords or for sites
visited) or to use your computer as a server (for spam e-mails,
pooorn, kiddie p, software distribution (whether legal (if you agreed
to it in the contract), dubious or illegal), denial of service
attacks, etc).

I propose to you that thinking that Linux is immune to spy/mal/adware
is the wrong approach -- it certainly WILL BE. However, there are
strengths in the *nix community as well -- once a problem is detected,
there are a lot of eyeballs out there looking over existing code to
figure out solutions to said problem... e.g. shutting down certain
services unless specifically permitted, etc.

(although this ain't a developers list) I would suggest that a robust
intrusion detection mechanism is something that ought to be
incorporated as Linux matures and proliferates as a desktop and server
OS. The software already exists... it's just a matter of creating a
GUI that can give MEANINGFUL information to non-expert users. Twenty
eight grams of prevention is worth 454 grams of cure.

> > The one thing about *nix is that if a super-user account is
> > compromised, a malicious and knowledgeable user can do *anything* to
> 
> Yes, and this is true of Windows too - except in Windows, typically you
> *always* are running the administrator account. I did admit that some
> security problems are true of both platforms - which is why I
> recommended constantly tracking security upgrades in Linux, as you
> should do in other OSs.

Although, even Windows is starting to improve its security -- Win XP
is much better off than Win 98 for e.g. and Win NT could be
_completely_ locked down (Win NT 4.0 SP 6 is perhaps the best OS that
Microsoft released IMO).

It is bad practice to keep crying wolf about Linux being absolutely
safe (claims made in the media RARELY come with caveats). I expect
that Microsoft is feeling the heat and they'll be making major with
respect to improving security of their OS -- the next version of
Windows will be far less susceptible to viruses and malware than the
present one. Microsoft simply can't afford to allow AdAware and the
other apps to HAVE TO exist. The simple fact that they're needed will
be enough to drive an ever greater number of users from Windows to a
Unix-like OS (GNU/Linux but also lots of *BSD (a lot of people don't
care about OSS and will be drawn to Mac OS X since it offers the only
mature and easy-to-use desktop *nix which doesn't require that you
EVER touch the terminal)).

Microsoft can't afford to have the advanced computer users jumping
ship because there's little brand loyalty, and, where the early
adopters lead, the sheep will follow!

Anyway, time for something different.
Eric.