linux

[KoolDrew]

I jsut want to make sure this is true but a freind of mine said that with linux the reason it is so secure is because Linux needs you to do things on it, therefore viruses (trojans and backdoors included) can't run on linux, even if some were made, you'd have to be stupid enough to SU and run the shell script. Is this true?

 

[n0cmonkey]

Kinda.

 

[KoolDrew]

What do you mean by kinda?

 

[eigen]

He means it to complex too explain to a *nix newb, but yeah you can think of it that way.

 

[uOpt]

It is true to a major part but not completely.

Unix user always always run their apps under a different userid than what can write the application compoenents. So an attack on -say - your browser cannot just change your browser exe file on the disk like it can for almost all practially existing Windows desktops.

However, it can modify the startup scripts in your homedir so it is just more difficult, not impossible.

The real reason why Linux is more secure is better coding, more review (thanks to sourcecode available) and that Linux users are on average much better at updating, firewalling and the like.

You see there are about an equal number of security leaks being published for Windows and for Linux each week. But if you have a closer look it is usually something crazy and exotic for Linux most of the time, not affecting most users, whereas for Windows it is usually the web browser, the mailer (do people bother to publish leaks for Outlook anymore?) or some network service enabled and open but not firewalled by default.

 

[n0cmonkey]

Originally posted by: eigen
He means it to complex too explain to a *nix newb, but yeah you can think of it that way.

Not exactly what I meant. I meant that the explanation was kind of true. No further explanation was asked for.

Worms can be much more of a problem, but with the diversity present in the *nix world, they haven't manifested into much since 1988(?).

Issues with viruses on *nix (they follow the same basic principles, so why bother specifying Linux when it isn't necessary?):

• root is not used for day to day activities. Many (most?) Windows users are lazy, and use the Administrator account for day to day access. Hell, I do that on my Windows system (it doesn't do a whole lot really, and when I install XP I'll change my habits).
• Baisc *nix permissions deny write access to most files by regular users. Generally the only things a regular user can access are in their home directory. So if a user gets a virus, that's what the user has to worry about losing.

Now, there are still some issues present in most *nixes (relating to worms, viruses, and exploits in general), that would be tough to address (although not impossible, some of the fixes I have in mind might break POSIX and would definitely break tradition):

• Ports above 1023 (high ports) can be bound to by regular users. A user can setup a backdoor at a high port.
• Users can use executables present in their home directories. (aka. untrusted binaries)
• Network listening daemons are often poorly coded, and are often not using modern technologies that can help protect the system.
• Configuration can be difficult for plenty of applications, and this leads to mistakes by new admins.

Some possible solutions (if these break posix, I won't know):

• Port ACLs. Regular users being able to bind to high ports is a tradition, and necessary for some environments. Limitting access to incoming connections on those ports can also help, but will cause problems with some applications.
• Mount /home noexec. This breaks tradition, and can be a right pain in the butt. This probably doesn't stop interpretted scripts from being run.
• Any daemon that listens to the network and cannot give up root permissions (if they are even necessary) should use privsep. Also thorough code audits are important. I also think an evolution over revolution approach might be a bit easier to handle also. Obviously these don't solve all problems (see: OpenSSH), but they help.

 

[Hyperblaze]

linux can be as insecure or as secure as you want...it all depends on how you administer things....

If for example, you remove the root password (can easily be done) then anyone can do whatever they want on your machine

Linux has less security vulnerabilities then windows due to it being open source (many many folks can look through the code in order to find bugs, while in windows, the number is much less)

Windows is slowly becoming more secure but has miles to do before it even comes CLOSE to being as secure as linux.

 

[n0cmonkey]

Originally posted by: Jero
Linux has less security vulnerabilities then windows due to it being open source (many many folks can look through the code in order to find bugs, while in windows, the number is much less)

An application being open source does not mean that it is being reviewed/auditted as it should be. The kernel is getting plenty of eyes, but how many of them are looking for bugs?

Just a thought, not an accusation or anything.

 

[Hyperblaze]

Originally posted by: n0cmonkey

Originally posted by: Jero
Linux has less security vulnerabilities then windows due to it being open source (many many folks can look through the code in order to find bugs, while in windows, the number is much less)

An application being open source does not mean that it is being reviewed/auditted as it should be. The kernel is getting plenty of eyes, but how many of them are looking for bugs?

Just a thought, not an accusation or anything.

You are quite right. However, do remember that there ARE a number more of hackers out there who actively make sure that the open source software that they employ is as secure as possible, making open source software much more secure.

Umm....as for the bugs in the kernel. If no one would be looking for bugs, we wouldn't have this many releases of the kernel. If you are thinking of something differemt please let me know.

 

[n0cmonkey]

Originally posted by: Jero

Originally posted by: n0cmonkey

Originally posted by: Jero
Linux has less security vulnerabilities then windows due to it being open source (many many folks can look through the code in order to find bugs, while in windows, the number is much less)

An application being open source does not mean that it is being reviewed/auditted as it should be. The kernel is getting plenty of eyes, but how many of them are looking for bugs?

Just a thought, not an accusation or anything.

You are quite right. However, do remember that there ARE a number more of hackers out there who actively make sure that the open source software that they employ is as secure as possible, making open source software much more secure.

In theory. Most open source projects are not auditted at all, and I'd venture that very few are auditted in a methodical and professional way. Schneier wrote something on this recently.

"There's lots of open-source software out there that no one has analyzed and is no more secure than all the closed-source products that no one has analyzed. But then there are things like Linux, Apache or OpenBSD that get a lot of analysis. When open-source code is properly analyzed, there's nothing better. But just putting the code out in public is no guarantee."

If you (or anyone else) don't know, Schneier is a respected member of the security community. He wrote the blowfish and twofish encryption algorithms.

Umm....as for the bugs in the kernel. If no one would be looking for bugs, we wouldn't have this many releases of the kernel. If you are thinking of something differemt please let me know.

There is a difference between actively looking for bugs and stumbling upon one. Not all bugs are easy to find, troubleshoot, or fix also. There could be a bug buried deep in something that few people really use (but can't be removed for whatever reason), that almost never rears its ugly head. It could be a complex programming mistake, a mistake from ambiguous documentation, or just one of the many inexperienced kernel hackers thinking they've done something clever.

As I mentioned previously, I'm not familiar with the auditting techniques in use by the Linux kernel developers. I would be much more comfortable with the Linux kernel than 99% of the open source projects out there.

As an example of the open source has more eyes theory not working, look at CVS. The code has been around forever, but big bugs are found regularly. Enough that an OpenCVS project has been started.

 

[Hyperblaze]

Originally posted by: n0cmonkey

Originally posted by: Jero

Originally posted by: n0cmonkey

Originally posted by: Jero
Linux has less security vulnerabilities then windows due to it being open source (many many folks can look through the code in order to find bugs, while in windows, the number is much less)

An application being open source does not mean that it is being reviewed/auditted as it should be. The kernel is getting plenty of eyes, but how many of them are looking for bugs?

Just a thought, not an accusation or anything.

You are quite right. However, do remember that there ARE a number more of hackers out there who actively make sure that the open source software that they employ is as secure as possible, making open source software much more secure.

In theory. Most open source projects are not auditted at all, and I'd venture that very few are auditted in a methodical and professional way. Schneier wrote something on this recently.

"There's lots of open-source software out there that no one has analyzed and is no more secure than all the closed-source products that no one has analyzed. But then there are things like Linux, Apache or OpenBSD that get a lot of analysis. When open-source code is properly analyzed, there's nothing better. But just putting the code out in public is no guarantee."

If you (or anyone else) don't know, Schneier is a respected member of the security community. He wrote the blowfish and twofish encryption algorithms.

Umm....as for the bugs in the kernel. If no one would be looking for bugs, we wouldn't have this many releases of the kernel. If you are thinking of something differemt please let me know.

There is a difference between actively looking for bugs and stumbling upon one. Not all bugs are easy to find, troubleshoot, or fix also. There could be a bug buried deep in something that few people really use (but can't be removed for whatever reason), that almost never rears its ugly head. It could be a complex programming mistake, a mistake from ambiguous documentation, or just one of the many inexperienced kernel hackers thinking they've done something clever.

As I mentioned previously, I'm not familiar with the auditting techniques in use by the Linux kernel developers. I would be much more comfortable with the Linux kernel than 99% of the open source projects out there.

As an example of the open source has more eyes theory not working, look at CVS. The code has been around forever, but big bugs are found regularly. Enough that an OpenCVS project has been started.

You have very good points. Some open source software is very secure while others aren't.

You just need to get a decent following in order to make your open source software as secure as possible lol.

 

[Sunner]

Originally posted by: n0cmonkey
Enough that an OpenCVS project has been started.

Man, Theo & Co are creating lots of Open* stuff lately, thanks for that one, I've missed it completely.

I'm still waiting for them to create an Open OpenSSL, maybe then I won't have to upgrade OpenSSL everytime the biweekly security update shows up

Oh and yes, I agree with all of your points.

 

[n0cmonkey]

Originally posted by: Sunner

Originally posted by: n0cmonkey
Enough that an OpenCVS project has been started.

Man, Theo & Co are creating lots of Open* stuff lately, thanks for that one, I've missed it completely.

I'm still waiting for them to create an Open OpenSSL, maybe then I won't have to upgrade OpenSSL everytime the biweekly security update shows up

Oh and yes, I agree with all of your points.

The OpenBSD version of OpenSSL is already modified a bit. User updates are tough, and probably impossible for most people.

I'd like a fully BSD licensed OpenSSL myself, I don't like the current license at all.