As someone who is totally new to linux i am finding it very strange how i apear to need no internet security software, i am used to going over the top with firewalls and being a bit paranoid when browsing the internet

Althou from what i have read it still seems strange and and i am a little amazed microsoft couldnt pull this off, i still have a bit of caution and have not yet put in any email, user names or passwords.

Has anyone ever wile using common scence wile going online ever been hacked/had any private details stolen/been subjected to any of the nasty things the internet has to offer wile using linux/ubuntu? It feels to good to be true.

might aswell ask, are there any ways i can improve security or ensure that anything unwanted doesnt get on my pc?

If you haven't read it already, the Ubuntu Security sticky is worthwhile reading.

The only thing that scares me are mitm (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) attacks......but then again online stores use ssl for account logins, so that's safe .
Keep it updated, and don't mess with any technical things like public services/iptables, and your pretty much impenetrable.

Has anyone ever wile using common scence wile going online ever been hacked/had any private details stolen/been subjected to any of the nasty things the internet has to offer wile using linux/ubuntu? It feels to good to be true.

If you use common sense, you won't get any of the nasty things in Windows, either.

Windows was never meant to exist in a network world. This is the reason so many exploits even from the earliest versions still are here even in Windows 7. Linux on the other side is something that was born in the network and is developed by the whole world. Even Microsoft can't afford so many specialists.
About your question on safe networking - just install the NoScript plugin in firefox. That is all you need.

If you use common sense, you won't get any of the nasty things in Windows, either.

+1: The rare occasions I've had trouble with some kind of connection to malware (only two come to mind at the moment) my doing something stupid has also played a part.

I guess you could say that the main security software we need in Ubuntu is that installed in our brains, a.k.a. commonsense and caution.

If that is missing, all bets are off.

About your question on safe networking - just install the NoScript plugin in firefox. That is all you need.

That was the first things i did, i am glad i havent lost it wile moving from windows.

One thing i have noticed that may not be important. Firefox seems to be stuck on an earlier version 3.0.14 but the latest is 3.5.3, how do i bring it uptodate? the standard linux system update has ignored it and it doesnt update itselff.

That was the first things i did, i am glad i havent lost it wile moving from windows.

One thing i have noticed that may not be important. Firefox seems to be stuck on an earlier version 3.0.14 but the latest is 3.5.3, how do i bring it uptodate? the standard linux system update has ignored it and it doesnt update itselff.

You can't unless you add special unstable repositories. The reason is that the Ubuntu devs will not officially "stabalize" Firefox 3.5 until they release Ubuntu 9.10 next month. However, many of us use Firefox 3.5 without issue. You just need to add the repository. Google "Firefox 3.5 Ubuntu" and see what you get. There are instructions out there on how to do it.

You can't unless you add special unstable repositories. The reason is that the Ubuntu devs will not officially "stabalize" Firefox 3.5 until they release Ubuntu 9.10 next month. However, many of us use Firefox 3.5 without issue. You just need to add the repository. Google "Firefox 3.5 Ubuntu" and see what you get. There are instructions out there on how to do it.

Thanks for that information.

Its not far away i will use the time until it comes out to try out a few other versions of linux like the new puppy linux and maybe mandrake, i have heard its much simpler to use and might get my dad away from vista. *music from a horror film*

The only thing that scares me are mitm (http://en.wikipedia.org/wiki/Man-in-the-middle_attack) attacks......but then again online stores use ssl for account logins, so that's safe .
Keep it updated, and don't mess with any technical things like public services/iptables, and your pretty much impenetrable.
I'd be more concerned with MITB (http://en.wikipedia.org/wiki/Man_in_the_Browser), effectively invalidating TSL. As someone else said - NoScript.

I still got the habit from Windows. Install anti virus, firewall, internet security and all sort of protection. So I install Clam AV and Firestarter as a precaution. Old habit hard to break. Maybe Linux helps.

As someone who is totally new to linux i am finding it very strange how i apear to need no internet security software, i am used to going over the top with firewalls and being a bit paranoid when browsing the internet So the Microsoft brainwashing worked. No insult intended here. But that's how I see it. Microsoft's OS are broken by design. But instead of fixing that pile of BS they "educate" (or rather: brainwash) their users to accept all those things as being "normal". Firewalls? Anti-Virus, anti-this and anti-that? That's "normal". Bluescreens? Oh dear - but "it happens". Live with it. It's "normal". Your computer getting slower and slower and slower because Microsoft's broken-by-design filesystem can't handle the disks properly and every piece of BS software is allowed to write garbage into the registry ... Oh, that's "normal", you know. Why don't you reinstall your PC? That's "normal" too. Every Windows system should be reinstalled every few months. That's "normal". Or so my Windows friends tell me (LOL!). Also don't forget to upgrade anti-this, anti-that and anti-whatnot. And make sure you try the gazillion of Registry Cleaners, Disk Defragmenters, and all the other BS programs a "normal" Windows user needs because Microsoft's OS 'out of the box' is not able to survive without a ton of third-party utilities. That too is "normal".

See what I mean? Microsoft brainwashed you. Instead of fixing their utterly broken OS they educated you and all the other users into believing that all those quirks and shortcomings are "normal" and that computers "are like that".

i am a little amazed microsoft couldnt pull this off Why would they want to? :D For as long as there are people out there who think that Microsoft produces "good" software and for as long as people are indeed paying for their utterly broken-by-design products they have no reason to change a thing. Look at Vista. Even the most radical Windows fanboys that I know admit that Vista is a sad joke. Recent service packs have improved the situation a little but it's still bad. And still people are buying Windows Vista Super-Duper-Non-Plus-Ultra-Ultimate-It-Rockzorz edition for like 150.-- bucks and more. And just like with Windows 95, Windows 98, Windows ME, Windows 2000, Windows XP, Windows Vista, the soon-to-be-unleashed-upon-mankind Windows 7 will be the "super-duper-best Windows ever". Really. Yes. Really. This time it will ..... It's amazing how people fall for it every time.

are there any ways i can improve security Read the stickies here. And I recommend hanging around in the forum and reading the threads people post. It's useful for learning.

I would not go as far as to call it brainwashing but it is a monopoly and they do almost anything to remove competition and to get even more money out of you.

It is a shame i cant get all my windows games to work on linux. If games developers made it so all there games would work on linux aswell which they should be doing the computer world would be far better than it is. I am sure that microsoft would of coarse send in army of lawyers to stop this breaking there monopoly.

I will admit i did consider getting windows 7 untill i saw the price, it was higher than my cpu mobo ram and graphics card combined.

Let us not become too smug.

Windows advocates will always reply “but no-one is attacking Linux because no-one uses it!”, and although that's far from the whole story there is certainly some truth in it. Linux presents a smaller install base to hackers, but also a more diverse install base: different architectures and compile-time options present across different distros mean it's not as easy to target exploit code as on Windows, where everyone is using the same binary.

Yes, it was stupid that everyone had to run WinXP as an Admin, but Microsoft have fixed this with UAC in Vista and Win7. OK, they've fixed it in an annoying and inconsistent (and very ugly if looked at internally) way, but in effect it's similar to running as a normal user in Ubuntu with gksudo. Still neither UAC nor Linux-as-normal-user are really satisfactory in this regard: if I run some malware, it can still easily trash all my user files. OK, so it's not rooting the box, but that's little comfort to me if all my documents, music and photos are unrecoverable!

What we really need in the long term is per-program permissions so that by default software is run at a lower privilege level than the user running it (and they can ask to escalate privileges when they really need to). Until then, Linux remains just as theoretically vulnerable to web browser exploits as Vista and Win7 (ie. all much better than XP), even if in practice there aren't really any attacks to speak of in the wild today.

(And yes, it was stupid that Win2K onwards opened ports 135–139/445 to all network interfaces and wouldn't let you close them. But XP more-or-less fixed this with the Windows Firewall: uglier than just not opening the ports on untrusted connections, sure, but in practice it worked OK. There was little-to-no point in buying an additional firewall on top of that, regardless of what some alarmist vendors would have you believe about egress filtering being necessary or even reliable.)

Windows advocates will always reply “but no-one is attacking Linux because no-one uses it!”, and although that's far from the whole story there is certainly some truth in it. Linux presents a smaller install base to hackers, but also a more diverse install base: different architectures and compile-time options present across different distros mean it's not as easy to target exploit code as on Windows, where everyone is using the same binary.

These are separate issues, diversity and targeting.

As for the targeting aspect I'm not so sure - given that for many forms of malware, a permanent connection to the Internet is desired and that Linux has a very large installed base on servers it would seem sensible to target Linux.

With respect to diversity, furthering your point on smugness, you're right - we should not be complacent. Man in the browser attacks are facilitated by exploits in browser software not operating system, where the diversity is not as high.

Let us not become too smug.

Windows advocates will always reply “but no-one is attacking Linux because no-one uses it!”, and although that's far from the whole story there is certainly some truth in it. Linux presents a smaller install base to hackers, but also a more diverse install base: different architectures and compile-time options present across different distros mean it's not as easy to target exploit code as on Windows, where everyone is using the same binary.

I agree that Linux having a smaller install base is a *part* of the reason there is no known malware in the wild, but I think it is a small part of the reason (maybe 20%). The different architectures and diversity of the distros also helps. However, as has been repeated here countless times, Linux (and other *nixes) dominate the server market, yet we still don't see any widespread malware.

Yes, it was stupid that everyone had to run WinXP as an Admin, but Microsoft have fixed this with UAC in Vista and Win7. OK, they've fixed it in an annoying and inconsistent (and very ugly if looked at internally) way, but in effect it's similar to running as a normal user in Ubuntu with gksudo.

The problem is that UAC is not quite like a Linux user account. For one, most people turn it off (and for good reason as most Windows software will not behave in a LUA). I visit other security forums pretty often and you will be surprised at the number of "Windows security experts" who turn off UAC. Secondly, there are already vulnerabilities that allow attackers to bypass UAC on Windoze 7.

Still neither UAC nor Linux-as-normal-user are really satisfactory in this regard: if I run some malware, it can still easily trash all my user files. OK, so it's not rooting the box, but that's little comfort to me if all my documents, music and photos are unrecoverable!

What kind of malware would do this, and why? What you describe is script kiddie stuff and is not profitable to those who write the sophisticated malware designed to steal credit card numbers and passwords, etc. Deleting your user files is pointless and is probably one reason we don't see such malware on Linux. The damage malware can do from a user account on a *nix box is very limited (at least to those wanting to steal identities, etc.).

What we really need in the long term is per-program permissions so that by default software is run at a lower privilege level than the user running it (and they can ask to escalate privileges when they really need to).

We already have this. Google for "Mandatory Access Control" and read up on it. For some good background info, you might also want to read up on the Bell-La Padula and Biba security models (they are the basis of most MAC and MIC security models). In Linux, good examples of these models are SELinux, Grsecurity, AppArmor and SMACK. Selinux is unique in that it allows a true MLS security model (Bell-La Padula) while the others are primarily based on the Biba integrity controls. Ubuntu comes with AppArmor already compiled in and turned on. All one has to do is create profiles for individual apps.

Until then, Linux remains just as theoretically vulnerable to web browser exploits as Vista and Win7 (ie. all much better than XP), even if in practice there aren't really any attacks to speak of in the wild today.

It's more complicated than just user accounts. For instance, a browser vulnerability implies a flaw somewhere in the code that can be reliably exploited. Microsoft *finally* implemented DEP and ASLR in Vista, which can mitigate some of these attacks. Linux also has a form of ASLR, as well as stack smashing protection, executable space protection, and other memory hardening protections built in (and these can be increased with the PaX kernel patch or Exec-Shield). The level of default memory protections depends on the distro and how everything was compiled. Fedora seems to be one of the leading distros in this regard.

(And yes, it was stupid that Win2K onwards opened ports 135–139/445 to all network interfaces and wouldn't let you close them. But XP more-or-less fixed this with the Windows Firewall: uglier than just not opening the ports on untrusted connections, sure, but in practice it worked OK. There was little-to-no point in buying an additional firewall on top of that, regardless of what some alarmist vendors would have you believe about egress filtering being necessary or even reliable.)

Are these ports still open on Vista/7 by default?

1. It's not strange at all.

2. Running any microsoft o/s outside of an HVM sandbox should be a non-starter for any technologist.

For one, most people turn it off (and for good reason as most Windows software will not behave in a LUA). I visit other security forums pretty often and you will be surprised at the number of "Windows security experts" who turn off UAC.

No I wouldn't. ;-) In Vista I turn it off too; Win7 seems a little better-behaved so far. I wouldn't say *most* software fails in LUA, but certainly some does. It's not really MS's fault and one can only hope the problem will slowly get fixed.

What kind of malware would do this, and why? What you describe is script kiddie stuff and is not profitable

It was just an example. Maybe they could encrypt the files instead, and ransom them; there is already Windows malware that does this.

steal credit card numbers and passwords

As I understand it, it is possible to log keypresses from user-level apps (maybe using XRecord?), as well as taking screenshots and uploading them, spoofing UI controls, and so on.

In Linux, good examples of these models are SELinux, Grsecurity, AppArmor and SMACK.

Then work needs to go into making these usable to an end-user. I've used SELinux and AppArmor and they are certainly not. (SELinux made RedHat absolutely unbearable for me.) At the moment I can't see either of them being able to cope with the sort of situation I envisage, where each new application runs under its own security principal, requesting rights from the upstream security principal of the user when necessary and implicitly receiving rights to access files when they get them through UI interaction like drag and drop.

Microsoft *finally* implemented DEP and ASLR in Vista, which can mitigate some of these attacks.

Indeed. Also limited/protected mode IE, which is a step ahead of anything Linux has at the moment.

Are these ports still open on Vista/7 by default?

Yes, but the firewall is also on by default, blocking them. It's a bit more complicated than it needs to be, but, well, this is Windows we're talking about. Always better to add an extra layer of complex controls than simply to fix the underlying problem...

"SELinux, Grsecurity, AppArmor and SMACK."

You missed Tomoyo Linux.

Of the lot, AppArmor is probably the least hassle.

Also limited/protected mode IE, which is a step ahead of anything Linux has at the moment. BS. Sorry to say so. On any Unix-like OS you could easily create a non-priviledged account and use it for web-browsing. Takes like 5 minutes to do it. And me, being myself, I'd add POSIX ACLs for good measure so that this particular account can't go to any locations I don't want it to go. You could then launch it via a "su -c -" wrapper or simply by "ssh unpriviledged-user@localhost /usr/bin/firefox" ... If you configured SSH-keys then you won't even see a password prompt and this "limited" browser will be totally transparent to your normal account.

On "more advanced" operating systems such as Sun Solaris 10 it's no big deal to implement a kiosk mode so that a user could only run one single application such as a web browser and nothing else. Ever. Voila, done.

This is yet another example of Microsoft brainwashing. Sorry to say so. UNIX-like OS were able to run stuff under non-priviledged user accounts for ages. Microsoft finally after 30 or so years come up with a similar solution and now everybody believes that they "invented" that. :lolflag:

This is yet another example of Microsoft brainwashing. Sorry to say so. UNIX-like OS were able to run stuff under non-priviledged user accounts for ages. Microsoft finally after 30 or so years come up with a similar solution and now everybody believes that they "invented" that. :lolflag:
Yes and what's more is that this still doesn't help protect people's data in the cloud - running a browser in a protected mode isn't going to prevent someone entering information that they shouldn't into an exploited site.

Yes and what's more is that this still doesn't help protect people's data in the cloud - running a browser in a protected mode isn't going to prevent someone entering information that they shouldn't into an exploited site. Exactly!

And sorry in advance ... I know I have my rough edges. Yes. I know it. And when I write I don't mean to insult anyone I really mean it. Or else I wouldn't write it. OK so far?

But sometimes the comments one can read here .... this blatant Microsoft-worshipping. "Microsoft did this, Microsoft invented that ... Microsoft will pull it off, you'll see ... " Really. Come on. How many more times does Microsoft need to rip people off with yet another "best Windows release ever"?? And seriously: When did they _EVER_ invent anything?

It's them who are playing "catch up", not the other way around.

Their marketing is brilliant, I give them that. I am sure they could sell gold-coated cow dung and people would willingly pay for it...

"Duuude .... this stinks! I think this is just sh*......"
"Pssst! It's from Microsoft! It's shiny! It's new!"

Yeah right. Then it must be "good", right?

But sometimes the comments one can read here .... this blatant Microsoft-worshipping. "Microsoft did this, Microsoft invented that ... Microsoft will pull it off, you'll see ... " Really. Come on. How many more times does Microsoft need to rip people off with yet another "best Windows release ever"?? And seriously: When did they _EVER_ invent anything?
In fairness and I'm only playing devil's advocate, a similar accusation is often levelled at Ubuntu with respect to Debian and Gnome upstream.

If its of any consolation to you - consider tribalism attached to operating systems by their exponents - even more so when you often find the most vocal are not actually contibuting anything at all.

In fairness and I'm only playing devil's advocate, a similar accusation is often levelled at Ubuntu with respect to Debian and Gnome upstream. Mooooment: GPLv2. Copying is explicitly wanted and desired here. And beneficial to those who got copied from as well. Debian is 100% totally free to copy stuff back from Ubuntu. I don't see this as being the same kind of copying.

Mooooment: GPLv2. Copying is explicitly wanted and desired here. And beneficial to those who got copied from as well. Debian is 100% totally free to copy stuff back from Ubuntu. I don't see this as being the same kind of copying.
I didn't say either was right, just that both were said.

I didn't say either was right, just that both were said. I see.

So the Microsoft brainwashing worked. No insult intended here. But that's how I see it. Microsoft's OS are broken by design. But instead of fixing that pile of BS they "educate" (or rather: brainwash) their users to accept all those things as being "normal". Firewalls? Anti-Virus, anti-this and anti-that? That's "normal". Bluescreens? Oh dear - but "it happens". Live with it. It's "normal". Your computer getting slower and slower and slower because Microsoft's broken-by-design filesystem can't handle the disks properly and every piece of BS software is allowed to write garbage into the registry ... Oh, that's "normal", you know. Why don't you reinstall your PC? That's "normal" too. Every Windows system should be reinstalled every few months. That's "normal". Or so my Windows friends tell me (LOL!). Also don't forget to upgrade anti-this, anti-that and anti-whatnot. And make sure you try the gazillion of Registry Cleaners, Disk Defragmenters, and all the other BS programs a "normal" Windows user needs because Microsoft's OS 'out of the box' is not able to survive without a ton of third-party utilities. That too is "normal".

See what I mean? Microsoft brainwashed you. Instead of fixing their utterly broken OS they educated you and all the other users into believing that all those quirks and shortcomings are "normal" and that computers "are like that".

Why would they want to? :D For as long as there are people out there who think that Microsoft produces "good" software and for as long as people are indeed paying for their utterly broken-by-design products they have no reason to change a thing. Look at Vista. Even the most radical Windows fanboys that I know admit that Vista is a sad joke. Recent service packs have improved the situation a little but it's still bad. And still people are buying Windows Vista Super-Duper-Non-Plus-Ultra-Ultimate-It-Rockzorz edition for like 150.-- bucks and more. And just like with Windows 95, Windows 98, Windows ME, Windows 2000, Windows XP, Windows Vista, the soon-to-be-unleashed-upon-mankind Windows 7 will be the "super-duper-best Windows ever". Really. Yes. Really. This time it will ..... It's amazing how people fall for it every time.

Read the stickies here. And I recommend hanging around in the forum and reading the threads people post. It's useful for learning.


+ 1000000000000 Awesome post, so true. :D

Microsoft finally after 30 or so years come up with a similar solution and now everybody believes that they "invented" that. :lolflag:

They did the same thing with the new Internet Explorer. It made me sick. They included a private browsing option, and made it out to be this new, high-tech thing, like they invented it. Firefox, Safari, and a couple others have had this feature (whether it was built-in or an optional add-on) for quite some time now. And of course, all of Microsoft's little sheep said, "Oh wow, that's so cool... modern technology is great!" Makes me so frustrated.

Okay, my rant is finished.

They did the same thing with the new Internet Explorer. It made me sick. You know what's really sad? All those people out there who honestly believe that Microsoft "invented" TCP/IP and the Internet ... and that the Internet's infrastructure (DNS servers, mail exchangers, most web sites ...) is Windows-based. That's where I go beserk. "Shut up, without Microsoft you would have no Internet today .... " ](*,)

They did the same thing with the new Internet Explorer. It made me sick. They included a private browsing option, and made it out to be this new, high-tech thing, like they invented it. Firefox, Safari, and a couple others have had this feature (whether it was built-in or an optional add-on) for quite some time now. And of course, all of Microsoft's little sheep said, "Oh wow, that's so cool... modern technology is great!" Makes me so frustrated.

Okay, my rant is finished.

They also stole the idea of tabbed browsing and browser extensions from Firefox as well.

And let's not forget that they stole virtual desktops from KDE/Gnome, albeit they were about 5 years late. :P


You know what's really sad? All those people out there who honestly believe that Microsoft "invented" TCP/IP and the Internet ... and that the Internet's infrastructure (DNS servers, mail exchangers, most web sites ...) is Windows-based. That's where I go beserk. "Shut up, without Microsoft you would have no Internet today .... "

Another similar "M$ invented it" thing I see is ASLR and DEP. Many people act like M$ invented these security technologies, when in fact both were first derived by the PaX team and added as patches to the LINUX kernel.

We could sit here all day and list things M$ stole from FLOSS and then have tried to pass it off as their own. And on top of that they have the audacity to claim they are going to sue FLOSS for patent violations. :lolflag:

On any Unix-like OS you could easily create a non-priviledged account and use it for web-browsing.

But you would have to either (a) run your desktop completely in that account (useless for day-to-day browsing), or (b) cope with xauth, and be unable to do things like save a file to your desktop from the browser. This is not within the realms of usability for a normal user.

You could hack up some workarounds, sure, or rewrite Firefox to support privsep. That's really the approach that IE's protected mode represents. But the underlying problem as I see it is that there's no concept of a user (or other security principal) being subordinate to another, in either the POSIX or NT security models.

I don't want to have to have to set up a limited account for each combination of user+application; this should, ideally, just happen automatically, to allow me to run software effectively in a sandbox, without having to worry if it's malware or not. This is a way off yet, but let's not pretend that the POSIX model is perfect and solves all problems (or is even really very usable at all for the average desktop user).

This is yet another example of Microsoft brainwashing.

Can we not discuss security models without an MS vs Linux flame war? Obviously I prefer the latter or I wouldn't be here. But that doesn't mean Windows is always wrong. Protected mode IE is a useful feature which no Linux currently has; it is already protecting Vista/Win7 users from many browser exploits. Yes, Firefox is a less awful browser than IE, and it's updated more punctually, and it's not such a big target. but that does nothing to protect us against plugin exploits, which are highly (and increasingly) widespread.

We now return you to your regular “LOLOLZ Micro$ucks” thread.

You all clearly have very strong feelings when it comes to windows and microsoft.

I hope i dont contribute to it to much.

I thought that the basic consept of the internet came about during world war 2 where a web of communication cables were set up and if the enemy damaged them because its in a web and other connection routs were present.

Honestly i never thought of microsoft as the inventor of anything, i still think of them as a monopoly. Unlike linux operating systems that are made for people by people who care about more than just emptying our pockets.

I thought that the basic consept of the internet came about during world war 2 where a web of communication cables were set up and if the enemy damaged them because its in a web and other connection routs were present.


The concept of the internet happened during the Cold War.
The internet was started around 1969 from a project called ARPANET I think.

The concept of the internet happened during the Cold War.
The internet was started around 1969 from a project called ARPANET I think.
Not quite - the Internet was the joining of Darpanet and Janet around 1988 but this went on until 1995, we were still using Janet addresses in 1995 at university in Scotland.

I thought that the basic consept of the internet came about during world war 2 Only very few computers even existed back then. They were big as apartment blocks and nobody had yet thought of networking them together.

The concept you describe is a child of the Cold War. The various network projects that finally became the Internet were indeed created with the idea in mind that they would remain operational even after taking several Soviet nuclear hits .... e.g. the computers would search for new routes after parts of the network were bombed to ashes, and so on.

"History of the Internet"
http://www.inetdaemon.com/tutorials/internet/history.shtml

Not quite - the Internet was the joining of Darpanet and Janet around 1988 but this went on until 1995, we were still using Janet addresses in 1995 at university in Scotland.

I'm talking about the first real network communications between UCLA and Stanford.
Basically the "start" of the internet. (the first network)

I'm talking about the first real network communications between UCLA and Stanford.
Basically the "start" of the internet. (the first network)

You are correct. The first remote communication between two remote machines using packet switching was done in 1969 between Stanford and UCLA. (Packet switching is the technology still used today). In the early days (early 70's), there were a number of different networks that used packet switching: ARPANet and X.25 being the major two. There was also the early "hobbyist" Internet protocol was known as uucp (Unix-To-Unix Copy Protocol) and FidoNet. It wasn't until the early 80's that TCP/IP became the standard protocol used (even though TCP/IP had been standardized in the 70's) and is about the same time the military took its systems off of ARPANET and created a private network known as MILNET. ARPANET then became solely for public use and by the late 80's all of these old networks began using TCP/IP and collectively became known as the Internet.

The Internet, at least as we use it today, was the brainchild of J.C.R Licklider who said back in the 1950's that he wanted a virtual library of information available at a computer terminal, and he further predicted that this would one day be in everyone's home.

From Wikipedia:

A fundamental pioneer in the call for a global network, J.C.R. Licklider, articulated the ideas in his January 1960 paper, Man-Computer Symbiosis.

"A network of such [computers], connected to one another by wide-band communication lines [which provided] the functions of present-day libraries together with anticipated advances in information storage and retrieval and [other] symbiotic functions."


No, I am not an Internet historian, I just play one on the Internet.

But you would have to either (a) run your desktop completely in that account (useless for day-to-day browsing) Not true.

or (b) cope with xauth, and be unable to do things like save a file to your desktop from the browser. Not true either. As for X: I can use "ssh -X". Voila. Done. Or I use VNC locally between two accounts. That would be a possibility too. And as for files and permissions and saving to desktop and what not: I could use NFS if I wanted. NFS works locally just as tip top as it does remotely. I could use the "mount" utility with the "--bind" option and mount arbitrary locations such as /home a second time under a different name and a different location. This works too. I could leave NFS and any additional mount-points away and simply use symbolic links. I could use ACL's. I could create some elaborate cron job that scans and analyses the stuff that just got downloaded and then places it into specific folders based on the analysis results .... The possibilities are endless.

This is not within the realms of usability for a normal user. Define "normal user" please? Linux is not Windows. Just because things are done slightly differently here doesn't mean they are "hard" or "impossible" to do. All it takes is a little bit of Googling, reading forums, reading tutorials, and a wee bit of experience. Voila. Done.

or rewrite Firefox to support privsep Why would I need to do that if the OS already supports that feature tip top? Unix-like OS such as all the GNU/Linux distros are multi-user systems. Always have been. Here it's nothing new to run processes under different user accounts with different priviledges all the time. Hint: Just take a look at your own /etc/passwd .... How many user accounts are there? One -- your own? Two -- you and "root" maybe? What do you think how many user accounts really exist on your system as of this very moment? :D You might be surprised.

There are things running on your very own system with priviledge separation all the time.

So why would I have to mess with the browser? What business does a browser have with knowing what priviledges are good or not? That's not the job of a browser. It's the job of the OS to do that.

This is yet another example of the horrible design Microsoft has put into people's heads. And I am tempted to call it "brainwashing" too. A web browser (= user space application!) messing with system priviledges == "normal". Oh dear. Yuck.

That's really the approach that IE's protected mode represents. And it's an ugly approach. A web browser is a user space application. Just like the "calculator" application. Or like any e-mail program. Or anything else that has no business of running with administrative priviledges ever. A web browser messing with system priviledges ... Come on. That's just a nightmare security- and OS-design wise.

But the underlying problem as I see it is that there's no concept of a user (or other security principal) being subordinate to another, in either the POSIX or NT security models. Some UNIX-like OS know the concept of "roles". Solaris for example. You have to be a member of a certain role in order to be able to do something. Even "root" can be subjected to this if you want to. The infinite powers the "root" account usually enjoys can effectively be eliminated with this. So that even "root" would first have to use "su -" and switch into a certain account and then into a certain role before he could perform certain actions. I know shops where they do this. It effectively cancels out any "root" exploits -- if ever something like this were to happen to them. So gaining "root" on such a system means nothing.

Ubuntu's security model "out of the box" is by far less elaborate ... but if you know how to put "su" and "sudo" to good use you could easily replicate this functionality. That's in fact what I do at work.

So instead of educating their users about better and more elaborate security models ("change into certain roles if you want to do cetain things ...") Microsoft let their security-nightmare web browser handle that. How wonderful.

I don't want to have to have to set up a limited account for each combination of user+application; And why should you need to? Fear of malware?

this should, ideally, just happen automatically, AppArmor and SELinux and other mechanisms that were already mentioned do a lot of that already automatically. If an application's profile says that it is not supposed to open an UDP port 1234 (just an example) then it will be effectively blocked from doing that.

to allow me to run software effectively in a sandbox, without having to worry if it's malware or not. Isn't that Windows thinking again? Why would I need to run "software in a sandbox" and why would I need to "worry if it's malware or not" on Linux? If you read the stickies and only really download applications via the package manager from the official repositories then this is a total non-issue.

Aside from that: You could always simply run a virtual machine, e.g. Xen which runs at nearly the native speed of the host OS. Great if you want Linux-on-Linux virtualisation (= a "sandbox") without the usual performance problems you'd normally associate with a VM.

but let's not pretend that the POSIX model is perfect and solves all problems (or is even really very usable at all for the average desktop user). It's not perfect but come on -- for the ordinary user it does what it has to do and is tip top usable.

Protected mode IE is a useful feature which no Linux currently has; We have a multi-user OS where we can anytime run any process with more or less priviledges as we wish. We don't need that Microsoft workaround, OK? That's what I am trying to tell you. A "protected mode IE" only makes sense on Windows because ordinary user accounts are running with administrative priviledges anyway and might thus easily become a victim of malware. That would be like running a web browser as "root" which is a seriously stupid idea (don't ever do this!). But on Linux it should usually be exactly the other way around. Normally you should be working on your non-priviledged account and only ever switch into "root" (e.g. via "sudo" or "gksudo" or whatever mechanism you have at your disposal) if you really really need to. Voila. Priviledge separation alive and kicking.

but that does nothing to protect us against plugin exploits, which are highly (and increasingly) widespread. Sticking to the repos and only installing things from there would eliminate that too. But OK ... yes, uninformed users might be tempted to do a "click here to install the missing plugin" and ooopsie ... But you said it yourself: No solution is perfect.

We now return you to your regular “LOLOLZ Micro$ucks” thread. :lolflag:

Some UNIX-like OS know the concept of "roles". Solaris for example. You have to be a member of a certain role in order to be able to do something.

Yes, but SELinux and Grsecurity also gives one this ability on Linux (they are both RBAC's). AppArmor is not a RBAC, though is still very effective for other things. And on BSD, you have "trusted-BSD" which works a lot like SELinux and "Trusted Solaris."

M$ is only now catching up to these ideas.

M$ is only now catching up to these ideas. My point exactly. They are playing "catch up" and everybody else thinks "Oh, new feature -- why doesn't Linux have that?". Or they have to come up with workarounds for quirks in their broken-by-design OS and some people go like "Oh cool -- a browser which doesn't run with administrative priviledges -- Why can't Linux have that?". Linux has it already. And Windows would have it too if their users were not administrator by default. Instead of correcting the default user's permissions they come up with this workaround (and that's what it is!) in their browser. It is Microsoft who are coming up with workarounds when it comes to "running stuff in a sandbox" ... not Linux.

The concept of the internet happened during the Cold War.
The internet was started around 1969 from a project called ARPANET I think.

A few people have stated i am incorrect and perhaps i am.

But there were many things that lead to current internet and am referring to a kind of communication network which is what the internet is but this was before computers were directly connected to it.

I know that my country used the code breaking computers during world war 2 the place where it was done is not to far from where i live.

Not quite modern internet but you can see its roots.

A few people have stated i am incorrect and perhaps i am.

But there were many things that lead to current internet and am referring to a kind of communication network which is what the internet is but this was before computers were directly connected to it.

I know that my country used the code breaking computers during world war 2 the place where it was done is not to far from where i live.

Not quite modern internet but you can see its roots.
You're talking about Bletchley Park (http://www.bletchleypark.org.uk/).

I know that my country used the code breaking computers during world war 2 Those computers were mechanical in nature.
http://en.wikipedia.org/wiki/Bombe

And yes, that's Bletchley Park. Has nothing to do with the Internet. Well ... at least not directly per se.

http://en.wikipedia.org/wiki/Alan_Turing

They also stole the idea of tabbed browsing and browser extensions from Firefox as well.

Oh, yeah, I forgot about that. I remember downloading Firefox because I heard of tabbed browsing, and I thought it was so cool. Then MS stole the idea for IE, and when my mom upgraded, she was all like, "Sean, come here! Look at this cool new thing Internet Explorer does!" This was before I knew about Linux and the open source community, but I was still slightly disgusted.

What an awesome thread! The information you guys are giving here has really captivated me, terminology... things I want to learn... it's amazing.

Just one question though. I understand that Free BSD is pretty much supposed to be as secure an OS as possible. Some people on this thread clearly seem to be experts in this field could you tell me if this is the case please:?:

What an awesome thread! The information you guys are giving here has really captivated me, terminology... things I want to learn... it's amazing.

Just one question though. I understand that Free BSD is pretty much supposed to be as secure an OS as possible. Some people on this thread clearly seem to be experts in this field could you tell me if this is the case please:?:
You mean like Open BSD - Only two remote holes in the default install, in a heck of a long time!

I understand that Free BSD is pretty much supposed to be as secure an OS as possible. You probably mean OpenBSD?

http://blogs.techrepublic.com.com/networking/?p=115

"Only two remote holes in the default install, in a heck of a long time!"
http://www.openbsd.org

OpenBSD Security
http://www.openbsd.org/security.html

The *BSD's makes for great firewalls, no question about that. If I am not mistaken "pfSense" is based on FreeBSD + OpenBSD:
http://www.pfsense.com/


BUT -- this does not mean that Linux's security is "bad" in any way. Between Windows and any BSD variant there is a trillion galaxies of differences when it comes to security .... But between Linux and BSD I'd say the differences are rather subtle. Linux's security is "superb", BSD's security "even a slight bit better than that".

If you want to look into BSD's I'd recommend one of the newer "beginner friendly" releases such as PC-BSD:
http://www.pcbsd.org/

PC-BSD is based on FreeBSD but it's very very nice and sweet to use.

You mean like Open BSD - Only two remote holes in the default install, in a heck of a long time! You beat me to it :D

You probably mean OpenBSD?

http://blogs.techrepublic.com.com/networking/?p=115

"Only two remote holes in the default install, in a heck of a long time!"
http://www.openbsd.org

OpenBSD Security
http://www.openbsd.org/security.html

The *BSD's makes for great firewalls, no question about that. If I am not mistaken "pfSense" is based on FreeBSD + OpenBSD:
http://www.pfsense.com/


BUT -- this does not mean that Linux's security is "bad" in any way. Between Windows and any BSD variant there is a trillion galaxies of differences when it comes to security .... But between Linux and BSD I'd say the differences are rather subtle. Linux's security is "superb", BSD's security "even a slight bit better than that".

If you want to look into BSD's I'd recommend one of the newer "beginner friendly" releases such as PC-BSD:
http://www.pcbsd.org/

PC-BSD is based on FreeBSD but it's very very nice and sweet to use.

Hey sorry yeah I meant Open BSD and yep thanks ddrichardson you got me heheh!

Hey but seriously thanks for the informed response scorp123 I'll take a look at PC-BSD as I am certainly a beginner in this :-) I'm not knocking any variation of Ubuntu BTW just find this topic really fascinating - thanks again :)

What an awesome thread! The information you guys are giving here has really captivated me, terminology... things I want to learn... it's amazing.

Just one question though. I understand that Free BSD is pretty much supposed to be as secure an OS as possible. Some people on this thread clearly seem to be experts in this field could you tell me if this is the case please:?:

Like others said, you are talking about OpenBSD. OpenBSD's track record is quite impressive. However, it's a very stripped down *server* OS without a whole lot of functionality out of the box. So, if you take that into consideration, this whole "2 remote exploits in over 10 years" thing is not as impressive as it seems at first glance. Two exploits in 10 years would be quite impressive indeed if it was a full featured desktop OS like Ubuntu.

That said, Ubuntu (or any Linux distro) can be made as secure, if not more secure, than OpenBSD. If one utilizes kernel patches like PaX, various compiler flags for SSP, and a MAC like SELinux, one can have a very secure system.

Isn't that Windows thinking again? Why would I need to run "software in a sandbox"

Sorry, but this is even worse than Windows thinking: it's Mac thinking. It's deciding that malware for OS X can't exist because it isn't widespread at the moment. But the Russians have recently started producing their fake codecs for Mac, and you can be sure they'll target Linux with fraudware and browser exploits as well should its popularity increase.

We have a multi-user OS where we can anytime run any process with more or less priviledges as we wish.Yes, Microsoft have that too you know. Both in a theoretical sense (NT can do it) and in a practical one (Vista and Win7 default to UAC). By complaining about running as admin you are firing at yesterday's target. The typical setup in XP was terrible for security, yes. But XP will go away (admittedly slowly).

Running as user is better than running as admin (and cleaner than the hack that is UAC). But malware can wreak quite enough havoc running as user: it can screw up everything a regular user can, which is a lot. Applications should run at a *lower* level than the user by default.

I can use "ssh -X". Voila. Done. Or I use VNC locally between two accounts.Either of those ways require either total separation, so you either can't save a file to your own Desktop or you have to rig up ludicrous workarounds as you suggested. Maybe there could be a standardised, automated way of doing that, but it's stilly pretty ugly.

I could use NFS if I wanted.Well, if you wanted to sacrifice the performance of your filesystem, yes. (And the security of your file permissions? Is this still as broken as it used to be?)

Define "normal user" please? Linux is not Windows.Do you want it to stay that way? Are you so élitist you don't want your mum to be able to use a Linux desktop?

The security process needs to be smooth at a desktop level, or it will just get turned off, as happened with the original Vista UAC. (Win7 is better in this regard and Linux's gksudo is also fine.)

Hint: Just take a look at your own /etc/passwd .... How many user accounts are there?Yes, per-program permissions exist on Linux in the server space implemented by privsep and extra accounts. But it should (far future but has to happen eventually) come to the desktop arena for all user-facing applications.

You *could* implement that with extra accounts, but it'd be ugly (and you'd get a users*apps combinatorial explosion in your passwd, which isn't ideal). You'd still not have a solution for automatically escalating rights, so that you could run a program with no rights and decide on-the-fly whether to trust it to do particular things when it felt it needed to.

What business does a browser have with knowing what priviledges are good or not? That's not the job of a browser. It's the job of the OS to do that.That's what I'm saying. Standardise distribution and granular escalation of privileges at the OS level, don't rely on each application to implement privsep correctly.

A web browser messing with system priviledges ... Come on. That's just a nightmare security- and OS-design wise.Actually Protected Mode IE is done at the OS level too. IE is just marked as ‘untrusted’ and lets the OS take care of what it should be allowed to do. When it wants to escalate it just spawns a process and lets the OS (via registry settings and potentially a user prompt) decide whether that process should get restricted or user-level rights. IE itself knows nothing about system privileges.

It's implemented as ‘integrity levels’ that don't really integrate with the NT security principal system as such; like UAC it's a bit of an ugly hack, but in this case the end result is quite effective.

So that even "root" would first have to use "su -" and switch into a certain account and then into a certain role before he could perform certain actions.Yeah, I've used systems like this. That's not what I'm aiming at though. All these approaches are based on the idea that the user is dangerous and should have his capabilities reduced, whilst programs are completely trustable tools that the user totally understands. But in reality it's more likely to be the program, not the user, whose trust is questionable.

J Random Desktop User wants to run MyNewAmazingMessenger from UnknownSoft because his friend says it's good. Does he trust its authors not to log all his keypresses and delete all his files? No. But he has no other choice but to give it that opportunity in the current desktop environments.

AppArmor and SELinux and other mechanisms that were already mentioned do a lot of that already automatically. If an application's profile says that it is not supposed to open an UDP port 1234 (just an example) then it will be effectively blocked from doing that.Then make this usable on the desktop because today it's not (SELinux in particular is barely usable full stop). Make new applications have a restrictive profile by default and allow an everyday user to decide that an application may or may not open UDP port 1234 as and when it tries to, without having to grant it permission to rmrf-home at the same time.

If you read the stickies and only really download applications via the package manager from the official repositories then this is a total non-issue.Sure. The official repos are great and protect Linux users not just from security problems but also some of the user interface chaos where Windows applications fight to promote themselves over the desktop.

But repos can't cover everything a user might want to download. As for me, I have to run Skype and Flash from their vendors' binaries, but I really don't trust them at all because those companies have a history of dodgy code and behaviour. I wish I could give them reduced privileges without them just falling over.

And repos don't magically fix unpatched browser/plugin security holes that are being exploited in the wild.

Aside from that: You could always simply run a virtual machineYes, of course *I* do — several. Again, it's not a solution I can offer to J Random Desktop User.

Like others said, you are talking about OpenBSD. OpenBSD's track record is quite impressive. However, it's a very stripped down *server* OS without a whole lot of functionality out of the box. So, if you take that into consideration, this whole "2 remote exploits in over 10 years" thing is not as impressive as it seems at first glance. Two exploits in 10 years would be quite impressive indeed if it was a full featured desktop OS like Ubuntu.

Hi Rookcifer thanks for the info :)
I had heard as you mentioned that it is very "stripped out" OS, in my limited understanding I believe that the more software on the system equals more coding and therefore more exploits?! I saw a lecture on YouTube where bob beck was talking about bloating and the VFS layer and vnodes... umm.

That said, Ubuntu (or any Linux distro) can be made as secure, if not more secure, than OpenBSD. If one utilizes kernel patches like PaX, various compiler flags for SSP, and a MAC like SELinux, one can have a very secure system.

Thanks for the references, I shall be looking into them, I swear this stuff just gets more and more interesting the more you learn. Bit like all aspects of Linux I suppose :)

Of the lot, AppArmor is probably the least hassle.

+1

On desktops I prefer Apparmor , on servers SElinux.

But the Russians have recently started producing their fake codecs for Mac, and you can be sure they'll target Linux with fraudware and browser exploits as well should its popularity increase. Yes, I am aware of this (fake codecs on Mac tricking users to type in their "sudo" password ...). But what's wrong with simply clicking on "Guest Session" on that login/logout applet in the upper right of every Ubuntu standard desktop? You could use that. It's dead-simple to use.

or you have to rig up ludicrous workarounds as you suggested. Those workarounds are in not "ludicrous" in any way, they consist more or less of a few standard commands that anyone with enough experience can easily implement. Less experienced users can simply use the "Guest Session" and use any program they wish in there.

Besides: Aren't you contradicting yourself a little? If you wish to run stuff such as a web browser in a sandbox or guest session then why even be able to save potentially harmful files to your own desktop? What's the difference if you get infected by something right away by running your browser under your own account or running your browser inside a sandbox or a guest session, downloading stuff onto your desktop and then getting infected by this stuff afterwards?

Security wise _NOT_ being able to store files outside of the sandbox or guest session makes far more sense.

Well, if you wanted to sacrifice the performance of your filesystem, yes. Sorry, I don't see the connection here. See above. UNIX-like OS were designed from the ground up to be multi-user and multi-tasking capable. A local NFS share has no bigger performance hit on your system than has downloading a few files in the background.

(And the security of your file permissions? Is this still as broken as it used to be?) Not really an idea what you're referring to here ... If I control both ends of a NFS client+server relationship I can do with the permissions whatever I want. So any problems you might associate with NFS like user ID screw up's (because they might not be the same on both ends) is non-issue here.

Do you want it to stay that way? One Windoze is perfectly enough. We don't need Linux to become another one.

Are you so élitist you don't want your mum to be able to use a Linux desktop? Again no idea what you're talking about. My Mom is 60 and she is using Linux. So is my Dad. He too is 60. He even uses it on his job because his employer --the Swiss Canton of Solothurn-- migrated to Linux too.

You can read about it here:
http://www.osor.eu/news/ch-solothurn-canton-migrates-desktops-to-open
http://times.debian.net/1224-Solothurn,-CH,-is-migrating-2000-desktops-to-Debian-migrating-2000-desktops-to-Debian

My wife too is using Linux on her Asus 900 netbook. She uses it every day to chat with her parents who live 1200 km away in Bosnia. Her Mom is 70 and her Dad is even 75. They too use Linux. I know because I installed it for them a few months ago. They use it day and night. Right now as I am typing this I can hear my wife chatting with them via Skype and discussing the pictures she just sent them via Dropbox ...

So your point is ... what exactly?

Please face the truth. "Joe User" and "Grandma Smith" have no troubles whatsoever using Linux. At all. It's Windows converts who expect to find a "2nd Windows" or a "better Windoze than Windoze". That's not the point of Linux and hopefully never will be.

Please read this if you haven't already:

"Linux is not Windows"
http://linux.oneandoneis2.org/LNW.htm


You'd still not have a solution for automatically escalating rights, so that you could run a program with no rights and decide on-the-fly whether to trust it to do particular things when it felt it needed to. OK; that's true. Right now you'd have logout + login or "su -" to another account or whatever.

Actually Protected Mode IE is done at the OS level too. OK ... thanks for correcting me then.


Then make this usable on the desktop because today it's not (SELinux in particular is barely usable full stop). Agreed.

As for me, I have to run Skype and Flash from their vendors' binaries, but I really don't trust them at all because those companies have a history of dodgy code and behaviour. I wish I could give them reduced privileges without them just falling over. OK ... I see.

Again, it's not a solution I can offer to J Random Desktop User. Why not? My Dad has to access some web pages that only really work with Internet Explorer 6 (stupid coding on those pages and using ActiveX controls and what not pretty much make sure that those pages he needs to access won't ever run on anything else ...) .... So I installed it for him. Remotely even via SSH. He doesn't really care how I did it (... http://www.tatanka.com.br/ies4linux/page/Main_Page ...), all he wants and cares about is that blue "e" icon on his desktop so he can get the stuff done. So "Joe User" might not always be able to do such stuff himself... but he can simply ask his friendly neighbourhood geek and such things will be done for him. Or you come to the forums here and ask your questions here ...

My personal experience is that "J Random Desktop User" doesn't care one little bit if the OS on their computer is behaving like Windows or not or if it's some form of Linux or not for as long as they can get the job done. In that regard total computer illitterates like my Mom and my wife and her parents are very happy Linux users ... because they have not been exposed to _ANY_ computer before in their lives they don't have the slightest little bit of expectation _HOW_ something is "supposed to" work or look like. They don't care one little bit that it is different from Windows .... because they don't even know what "Windows" is supposed to look like.

So I find your arguments up there that Linux might be too hard for the "Grandma Smithie" type of user quite a bit exaggerated ... My personal experience tells me the total opposite.

Windows was never meant to exist in a network world. This is the reason so many exploits even from the earliest versions still are here even in Windows 7. Linux on the other side is something that was born in the network and is developed by the whole world. Even Microsoft can't afford so many specialists.
About your question on safe networking - just install the NoScript plugin in firefox. That is all you need.

Once I started using NoScript I was amazed at how much security it adds to Firefox. Full control over java and javascript-awesome. I love using Ubuntu and linux in general because I don't have to worry if my browser is secure enough or if my firewall is sufficient enough. Ubuntu comes with no open ports so what's not to love :)