bsilver at chrononomicon.com
Tue Jun 17 19:52:18 UTC 2008
Michael "TheZorch" Haney wrote:
> Bart Silverstrim wrote:
>> I've seen people claim they don't need it for Windows, but there's just
>> too many cases where just web browsing with your user privileges under
>> Windows architecture can cause problems. Maybe the way Vista annoys
>> users for every damn action short of sneezing requires you to click
>> through it the situation's different, but I don't trust it.
>> Unfortunately there's a number of Windows programs that can't deal with
>> the security settings, so if you don't want to deal with hassle you end
>> up running in a less secure state and so...it's a pain.
> UAC is cruel and unusual punishment for Vista users. I've never seen an
> OS like it which so thoroughly ticks off users than Windows Vista.
The funny part is, as I understand it, that UAC was specifically
designed to annoy the user. Something about putting pressure on
developers to follow programming guidelines that Microsoft has had out
there for awhile now but people just plain ignored, like where to store
preferences for applications and library files. Google should be able to
find where that was actually quoted from an MS insider.
> In the end Zone Alarm and Avast were installed on that machine and its
> been infection free ever since then. I've never had to use anti-virus
> software for Linux during the time I've used the OS. I know there is
> anti-virus software for Linux in the form of Clamwin Anti-Virus but how
> many Linux viruses and Trojans are there out there compared to viruses,
> worms and Trojan Horses for Windows? Probably only about as many as
> there are for Mac OS X which is pretty small list.
A) that bot was taking advantage of a vulnerability in Windows, tying
into point B.
B) That scripting host app that was being accessed still could only do
what it had privileges to; i.e., if it ran as the user, it could access
parts of the system the user could alter; it if ran as the system or
administrator, it had free reign of the system. With Linux today, this
is addressed by having common components run in their own context so
Apache could only affect Apache's directory structure, and in some cases
is running in it's own "jail".
C) Again, Windows evolved as a platform from the personal computing
world, unlike Linux which is modeled after UNIX which came from the
multiuser world. This affects the architecture that in turn affects
security and how it is handled. Windows is not designed in any way to
head off problems, or block zero-day type exploits. Thus your defenses
are reactive and not proactive.
D) Unless you do this for a living, it probably wouldn't have occurred
to you, but for those of us wandering in the world of Windows support we
quickly learned NEVER to plug a Windows system into an
Internet-connected network unless it's NAT'ed and pseudo-firewalled;
there are too many idiots still zombied and probing for other systems to
infect with old vulnerabilities, and the time it takes to get updates
leaves a HUGE window of opportunity to get infected. It only takes a
minute or two for infection. If you can't NAT it, you need to use
offline updates with a slipstreamed update CD before trying to connect it.
E) There are worms that affect Linux. Mainly because %99.9 of them
aren't Linux-based. They're vulnerable in Apache, or MySQL, or some
other popular Internet-facing application. It's not Ubuntu's fault if
there's an Apache bug...they are packaging the fix as they come from the
Apache project. While it affects perception of Ubuntu when it happens it
still isn't their fault. Also...
F) Most services don't run by default, even if they can be installed.
Personally I hadn't run a software firewall until it became installed
and partially configured by default...why? I didn't run services I
didn't use, didn't need to shape or throttle traffic, and when I ran
services, I wanted it open to all IP's. I didn't want or have a need to
limit SSH from whatever machine I sat at...when probing became the "in"
thing to do, I installed denyhosts. I don't run Apache, so it didn't
matter if it had a vulnerability in it when I evaluate my home machine's
status. For most home users, software firewalls really shouldn't be
necessary because your OS shouldn't be running unused services; this
isn't part of the Windows mindset, unfortunately, and now various
sources of propaganda make users think they need a firewall like they
think they needed fins on cars in the 50's.
That being said, one of the handier things I'd want and could find
useful was an easy to use application for visualizing network traffic in
and out of a computer. Yes, I'm aware of netstat, or socklist, or
grepping and awking and otherwise twisting the $!@#$ out of an iptables
command, but it's still not an at-a-glance useful tool. The closest I
found was Zonealarm's outgoing filters in Windows showing applications
running, where the connections were going, how much data was attempting
to flow through...again, though, that would go back to my references
about tools and a need for VM advances, since applications running
within your own login context (or system context) could be attacked, so
you kind of need a way to view your computer from the outside in. Can't
do that unless you were in a VM or had a special router that monitored
such things inline with your network traffic.
More information about the ubuntu-users