Ok, now I'm really tired of that topic, but just as an fyi:
I never, ever claimed the underlying applications were broken,Yes, you did. I've quoted you several times on it.

I claimed that an OS that has dozens of services running and listening on the network is poorly designed, to put it mildly.Which is the same thing as saying the applications underlying the firewall.

And how is that statement isn't what you said, and even if it were, how are "I never, ever claimed the underlying applications were broken," and "I claimed that an OS that has dozens of services running and listening on the network is poorly designed," not contradictory? If we saying the underlying application is the OS (which is what I meant) then they are.

Nevermind neither is actually what you said. You keep deflecting your own statements because you know they're false, and because you think if you keep running circles around the actual definitions you can find an escape route.

I'm still waiting for that IPC vs. RPC explanation, BTW.

And you accused me of typical trolling behavior :rolleyes: At least I don't run from topic to topic whenever someone points out an error.

And if I'm attacking a strawman, what's your stronger point then?

Sorry, I thought the plural imlied there were several and so I assumed you were talking about the services in question, not the underlying OS.

As to RPC and IPC, first off, you started making wild claims about dbus and dcop without backing them up, so if anything, you should explain why an RPC listening on the network by default and an IPC that can theoretically listen on the network are one and the same thing.

As to RPC and IPC, first off, you started making wild claims about dbus and dcop without backing them up,:rolleyes: The claim DCOP is RPC by definition isn't wild:DCOP: Desktop COmmunications Protocol (http://developer.kde.org/documentation/other/dcop.html)
DCOP is a simple IPC/RPC mechanism built to operate over sockets. Either unix domain sockets or tcp/ip sockets are supported. DCOP is built on top of the Inter Client Exchange (ICE) protocol, which comes standard as a part of X11R6 and later.(emphasis mine) Nevermind the fact that ICE can be used by X11 clients on different machines, so it as also RPC.

Like I said, proof by definition. It's not like the protocol paper defines the protocl or anything.
so if anything, you should explain why an RPC listening on the network by default and an IPC that can theoretically listen on the network are one and the same thing.Because I've yet to see a universally acceptable definition of RPC that says it must listen on the network.

Even 'define: RPC' in Google isn't consistent on the point it must be cross-machine.

Your entire point is based on that simple default, and you've yet to show any reason why we should delinate on that. People far smarter than you and I do not delinate based on that simple default, so I see no reason to either.

There is definetly a huge difference between design and implementation. The RPC protocols are DESIGNED for data interchange (the most basic definition). They can be IMPLEMENTED in different ways, in Ubuntu (not even all Linux) the RPC is implemented not to listen on the network by default, and if it does (NFS) you get to tell it which hosts are allowed to use it (/etc/export(s?)). In Windows however the RPC is implemented to listen on the network and is not nearly as restrictive as the way Ubuntu (Linux?) does it. This is clearly not a design issue. Making an OS less prone to attacks by using a firewall is a valid way of securing it, I run firewall on both my Ubuntu boxes and my wi-fi is restricted to only let machines with certain MAC addresses on, this doesn't mean wi-fi has crappy design.

the RPC is implemented not to listen on the network by default, and if it does (NFS) you get to tell it which hosts are allowed to use it (/etc/export(s?)).Saying it is configured, rather than implemented, would be more appropriate.

Even this isn't 100% correct. While you can control what hosts can mount NFS mounts based on IP and while most Sun RPC services obey tcp_wrappers, this isn't a complete solution. The service still has to make the libwrap calls. This still doesn't completely eliminate your attack service: you can still be compromised by bad code pre-access check (one would hope no communication goes on before this check, however).

In the case of the blaster worm, RPC was exploited before any access checks were enforced. It's access checks are user-based, not IP-based, to be fair. However, the point to be illustrated is the mere presence of access checks don't help you unless they're programmed correctly.

New to the forums here, just a smal request.

The very first post I think was quite simple and easy to follow and seemed to have a logical explanation of why things worked a certain way. LordHunter, instead of attacking people and providing snippets of your theories and views, would it be possible to write something for me (and the rest of us) some of the similarities, differences and reasons why one would be better than the other in certain situations? Maybe if the whole story was together in one post without references to "trolling" and "you can't read" and "you are absolutly wrong" i'd be able to understand things better. I recently switched over to Ubuntu and just the way it works by asking for the root password for critical changes makes me feel like the system is slightly more secure than Windows XP.

I'd love a little story much like the first post to help me out.

NThe very first post I think was quite simple and easy to follow and seemed to have a logical explanation of why things worked a certain way. While reasonable, it's not consistent with reality.

LordHunter, instead of attacking people and providing snippets of your theories and views, would it be possible to write something for me (and the rest of us) some of the similarities, differences and reasons why one would be better than the other in certain situations?I have. Read my posts carefully: I point out the technical and logical errors. I've hardly attacked anyone.

Maybe if the whole story was together in one post without references That would be extremely difficult. If you want to understand how operating systems work, read an operating systems text. If you have a specific question, I'll be happy to answer for you. Just simply pontificating on a subject isn't my style, and frankly, I wouldn't even know where to begin.

to "trolling" and "you can't read"Well sadly, some people seem to be following such behaviors, and I felt the need (perhaps to the deteriment of the subject matter of the thread) to point it out. It's fustrating when people cannot take the time to properly form a response and rehash subjects that had already been answered and dropped. Probably the only I really hate more than anything on the Internet is having to repeat myself, especially on a forum. The text is right above you...

I recently switched over to Ubuntu and just the way it works by asking for the root password for critical changes makes me feel like the system is slightly more secure than Windows XP.For an average user, running in an unprivileged account that asks you privileges makes life easier. It only makes life secure if you follow the XP default and run as an Administrator.

If you run as an unprivileged account, then your Windows account is (more or less) as limited as your Ubuntu account: it can't do anything to other accounts or the rest of the system. The impact of any virus, malware, or spyware is quite limited; essentially, it can only effect your only files.

The problem with this is that you cannot perform administrative actions in that account except via runas, which is equivalent to the UNIX traditional command su. Also, it's not the XP default, which I don't agree with.

However, it can be done. The XP method is just far less convinent. This is something Windows intends to rectify in Vista with LUA, but we'll see how secure it is. I'm cautious to say the least.

LordHunter, great response it helped me a lot. Just one last confusion, when we were taling about the viruses infecting the computer, you had jotted down this script:

#!/bin/sh
echo "HAHA YOU RAN THE HAHA VIRUS"
rm -rf /*

I looked into rm -rf on google and from what i gather it is the equivilent of doing a "format c:/FS:NTFS" in windows. But in the case of ubuntu, you need the password. I found a site of a personal experience of XP Pro Vs. Ubuntu and i had a few quotes from the site...

"I came up with "del /F /S /Q *" [for windows]. Linux was a no brainer. All I had to do was escalate my permissions with sudo (http://www.courtesan.com/sudo/), "sudo rm -Rf *" to be exact. Well, that did the trick on both systems with one caveat. Linux would not continue with the command until the root password was entered. Windows, on the other hand had no problems going to town unlinking files after the [Enter] key was struck."

"The default install of Windows does not prompt for a password to be created for the primary user. It also is set to auto-logon, even after Service Pack 2 is installed. This means, for a default install of Windows, anyone can walk up, type "del /F /S /Q *", and your system will be hosed. Ubuntu, like most Linux distributions, set up a password for the primary user right away during installation. The primary user's password is required to do anything beyond the single users's environment, so why a user may screw up their own files, they won't destroy the system (which may contain tools which allow them to recover their files)."

also on the site...a comment....

MeDevil on October 28, 2004 07:08:13AMWhat about security? if you didn't have sudo permissions you won't do anything... and as you said, linux enforces you to have a root password, while "administrator" password in windows can be simply empty...
So TECHNICALLY, would this imply that linux has better security? Not perfect, I agree, but it is a lot harder for a virus or some malware to affect the system, as the basic setup (the design of it to be more precise) requires user intervention to actually make some damage in Ubuntu. (unless you stupidly log in as root)

Here's a link for reference.

http://hohle.net/scrap_post.php?post=23&m=full

EDIT: Forgive me if i'm just trolling, as I sometimes miss the point meant in earlier posts. Also read the comments on the page before replying, some of them were very informative for me.

imrumpf:
The point of the script was to illustrate that a piece of malware (virus, worm, trojan, etc...) could be as simple as a bash script which would run on just about any distribution (as most use bash). It was posted in response to me saying that the amount of different distributions makes it harder to write virii since each one is set up differently.
What about security? if you didn't have sudo permissions you won't do anything... and as you said, linux enforces you to have a root password, while "administrator" password in windows can be simply empty...
The point of the thread was that design of Linux is superior, in terms of security, to Windows (XP in this case since it's the latest). LordHunter pointed out that the design of both systems is essentially the same. The difference was mostly in defaults and implementation of both OS's. Linux is configured better than XP, as it doesn't allow you to have a blank Admin password and in the case of Ubuntu you don't even have a root account. Linux also forces you to run as an unprivileged user most of the time, basically you only have full access when you need it. In Windows your default user account has full Admin access to the system at all times (which is not necessery) making it a less secure configuration. The design is essentially the same, one user cannot touch another user's files unless he/she has admin/root priviliges.

The point of the thread was that design of Linux is superior, in terms of security, to Windows (XP in this case since it's the latest). LordHunter pointed out that the design of both systems is essentially the same. The difference was mostly in defaults and implementation of both OS's. Linux is configured better than XP, as it doesn't allow you to have a blank Admin password and in the case of Ubuntu you don't even have a root account. Linux also forces you to run as an unprivileged user most of the time, basically you only have full access when you need it. In Windows your default user account has full Admin access to the system at all times (which is not necessery) making it a less secure configuration. The design is essentially the same, one user cannot touch another user's files unless he/she has admin/root priviliges.

Does this mean that based on DEFAULT configurations, the proper response to "FYI- Linux security versus Windows security" would be that Ubuntu is more secure? I understand that both can have more security (what's more secure than not being plugged into a network at all?:p) but Windows is harder to secure and you have to constantly be weary (sp?) of malware. are my assumptions correct?

Does this mean that based on DEFAULT configurations, the proper response to "FYI- Linux security versus Windows security" would be that Ubuntu is more secure? I understand that both can have more security (what's more secure than not being plugged into a network at all?:p) but Windows is harder to secure and you have to constantly be weary (sp?) of malware. are my assumptions correct?

Yes, OOB (Out Of the Box) Ubuntu is more secure, it's also a lot more secure than many other distros. Windows isn't hard to secure, but it's definently harder than Ubuntu.

However, the reasons for it are NOT the ones mentioned in the OP which is completely incorrect.

If i want maximum security i won't use either though.

If i want maximum security i won't use either though.

Mind I ask what you would prefer using then?

Yes, OOB (Out Of the Box) Ubuntu is more secure, it's also a lot more secure than many other distros. Windows isn't hard to secure, but it's definently harder than Ubuntu.

However, the reasons for it are NOT the ones mentioned in the OP which is completely incorrect.

If i want maximum security i won't use either though.
I broke ubuntu 5.04 and 5.10, Fedora 4, and SuSE 10.0 with a virus that I created... It only took about 36 to 48 hours to design all the code. The only thing was that I told it to delete all the /boot files as root, had it translate the passwd and shadow files to gain root level access. I should say I didn't do it by myself about 7 of us actually wrote this one that we used on my system.

Then after a reinstallation, I had to find a way to protect myself from that program. Its took 4 weeks and my system still has security holes...

Windows was easy to break granted because I did on my own... Windows was easier to secure and when secured is practically invulnerable than before.

I broke ubuntu 5.04 and 5.10, Fedora 4, and SuSE 10.0 with a virus that I created...
Please post the code.
Thanks

Mind I ask what you would prefer using then?

OpenBSD

Please post the code.
Thanks

Seconded and i'm NEVER going to let this go either.

OpenBSD
Mine probably FreeBSD because of the rarity... Sorry it was a colaborated thing and we agreed to not share the code with anyone else.

You may try to stand me down that we didn't do that. But me and a few friends that visit this forum every now and then and a few Windows Only users as well as an old mentor that has used Unix for decades where the ones that wrote this.

Mine probably FreeBSD because of the rarity... Sorry it was a colaborated thing and we agreed to not share the code with anyone else.

Ah, I see. But maybe you can at least describe to us what kind of attack this virus used, what vulnerabilites it exploited, etc.

Thanks.

The homemade virus that was written, was it tested on FreeBSD? if the virus is unable to run on that system, it might just make me think about adding that OS to my bootlist to use as well as Ubuntu (I love ubuntu and can't get rid of it :p)

Mine probably FreeBSD because of the rarity... Sorry it was a colaborated thing and we agreed to not share the code with anyone else.

You may try to stand me down that we didn't do that. But me and a few friends that visit this forum every now and then and a few Windows Only users as well as an old mentor that has used Unix for decades where the ones that wrote this.

Well, i'd say that FreeBSD's security is below that of Ubuntu OOB and that if obscurity is something you are looking for then OpenBSD would be a better option anyway.

And i won't let this go, do what Knomefan suggested then, considering your other posts and the fact that you'd use FreeBSD because of it's obscurity i'd say you don't know your butt from your elbow when it comes to security.

The homemade virus that was written, was it tested on FreeBSD? if the virus is unable to run on that system, it might just make me think about adding that OS to my bootlist to use as well as Ubuntu (I love ubuntu and can't get rid of it :p)
For a home user Ubuntu is all the security you would need. BSD's tend to be used in production machines and aren't all that easy to deal with (I tried) they do come with a GUI though :) OS X is actally BSD based (can't remember which one though)

OSX is darwin BSD based... You can find out more at www.opendarwin.org ...

Not everyone shares code for the reason that it can do more harm than good. You people with open source seem to forget that close source in lots of ways is good too... Take OSX for example, the majority of it is open, but OSX kernel and specific programs will not run on Open Darwin or Darwin...

Good girl, Lisa...

The only thing was that I told it to delete all the /boot files as root, had it translate the passwd and shadow files to gain root level access.

Right. If I understand it (I can be wrong), passwords are encrypted using prime multiplication, so that the passwords are found by factoring the numbers appearing in /etc/shadow. Is it right?

Then, what you did is basically a brute force attack... which would be alright if the passwords were short/weak or a sha bug was found or you had a quantum computer, since prime factoring is an O(N!) algorithm in a classical computer (mathematicians and the CIA will love you if you prove otherwise).

OSX is darwin BSD based... You can find out more at www.opendarwin.org ...

Not everyone shares code for the reason that it can do more harm than good. You people with open source seem to forget that close source in lots of ways is good too... Take OSX for example, the majority of it is open, but OSX kernel and specific programs will not run on Open Darwin or Darwin...

Good girl, Lisa...

IIRC, the Mac OS X kernel is actually darwin and is OSS. At least, typing uname -a will show Darwin smewhere.

Let us not forget that there are a number of limited internet activations for windowsXP, meaning, if you keep having to reinstall windows every other month, one day you won't be able to activate it on-line anymore( This happened to my father).

Yes, you did. I've quoted you several times on it.

Which is the same thing as saying the applications underlying the firewall.

And how is that statement isn't what you said, and even if it were, how are "I never, ever claimed the underlying applications were broken," and "I claimed that an OS that has dozens of services running and listening on the network is poorly designed," not contradictory? If we saying the underlying application is the OS (which is what I meant) then they are.

Nevermind neither is actually what you said. You keep deflecting your own statements because you know they're false, and because you think if you keep running circles around the actual definitions you can find an escape route.

I'm still waiting for that IPC vs. RPC explanation, BTW.

And you accused me of typical trolling behavior :rolleyes: At least I don't run from topic to topic whenever someone points out an error.

And if I'm attacking a strawman, what's your stronger point then?
While it might no be a sign of broken design, both of the OS as a whole, or specific underlying applications, it is a sign of broken idea.
When WindowsXP was comming out, a lot of people in the internet and security "circles" (well, at least a few I remember reading about) pleaded to microsoft _not_ to have those ports open by default. Microsoft said that their windows XP would be internet-ready, and some other crap.

As thousands of windowsXP got installed and used, thousands of computers got on the internet with many ports open, just ready for a flaw to be found. The result was as predicted: millions of windowsXP machines being used for spam and other kinds of operations.

If that is true then I should had to do something different, but I haven't had to do that yet... It is suppose to be 5 times in 6 months. I had to reinstall about 8 or 9 times in one 6 month period...

I'm suprised, that you use your name Aurora...

later...
Lisa...

But did you activate it with internet every time you reinstalled?
Well, my father had this problem. I didn't even know that if he waited, he could re-use again. That's better, but it's still a big limitation.

IIRC, the Mac OS X kernel is actually darwin and is OSS. At least, typing uname -a will show Darwin smewhere.
Yep.
Darwin == Mach kernel + BSD userland
OSX == Aqua + Darwin

But hey, ower ub0rhax0r ladys who "translate shadow" probably know better. :grin:

But did you activate it with internet every time you reinstalled?
Well, my father had this problem. I didn't even know that if he waited, he could re-use again. That's better, but it's still a big limitation.
You can activate it over the phone without any problems, it's a PITA for sure.

Not everyone shares code for the reason that it can do more harm than good.

That's right. Especially as the code in question seems to be uber1337 code (translate to, it doesn't exist)


You people with open source seem to forget that close source in lots of ways is good too...

Do I? Do you know me?
But whatever might be the case here, I'm pretty sure code that doesn't exist can be good too, right? :D


Take OSX for example, the majority of it is open, but OSX kernel and specific programs will not run on Open Darwin or Darwin...
Good girl, Lisa...
The kernel is open too.
How about educating yourself before trying to defend an other (the same troll) the next time around?

I looked into rm -rf on google and from what i gather it is the equivilent of doing a "format c:/FS:NTFS" in windows. Nope, more like the delete command you provided yourself below.

But in the case of ubuntu, you need the password.To delete the whole system, sure. To delete just your files, no. Which is no different from running as a limited user on Windows and performing the same antic. Well, there's one minor difference: files currently open and in use cannot be deleted, period.

MeDevil on October 28, 2004 07:08:13AMWhat about security? if you didn't have sudo permissions you won't do anything... and as you said, linux enforces you to have a root password, while "administrator" password in windows can be simply empty...For starters, you can have an empty root password. Any account can be empty. You do have to edit /etc/shadow manually AFAIK.

So TECHNICALLY, would this imply that linux has better security?Nope, simply better defaults. And as I've said before, Windows XP default of creating the first account as an Administrator isn't a good security decision. Microsoft made the choice of usability over security.

But nothing is stopping you from creating a limited account and using it for your daily actions and only logging in as Administrator where necessary. And if you do so, you'll find the damage you can cause is far, far less.


The point of the thread was that design of Linux is superior, in terms of security, to Windows (XP in this case since it's the latest). LordHunter pointed out that the design of both systems is essentially the same.Well, I should say the model is the same, which yields the same design in a host of places. I haven't been clear on that distinction and I probably should be. There are plently of design differences in how security checks are modeled and implemented. NTFS for example, only uses ACLs and uses them all the time. Windows NT doesn't have that many non-ACL controls.

and in the case of Ubuntu you don't even have a root account.You do, it's just not interactive. Much like SYSTEM on Windows, which is the true root equivalent.



I broke ubuntu 5.04 and 5.10, Fedora 4, and SuSE 10.0 with a virus that I created... It only took about 36 to 48 hours to design all the code. The only thing was that I told it to delete all the /boot files as root, had it translate the passwd and shadow files to gain root level access.What method did you use for cracking /etc/shadow? And how did you acquire it without root access in the first place?

I smell a troll.

OpenBSDHas the same model as Windows and Linux. That being said, their implementation of a lot of things is far superior. It's also worse in a lot of areas, especially on the desktop.


Right. If I understand it (I can be wrong), passwords are encrypted using prime multiplication, so that the passwords are found by factoring the numbers appearing in /etc/shadow. Is it right?Nope, passwords in /etc/shadows are stored using salted MD5 by default (these days, certainly Ubuntu default). Unless you get lucky and find a colliding hash (not likely, but not impossible) or have a huge rainbow table (16^64, doesn't exist, non-trivial to generate, not even sure how you'd store such a monster) you bascially have to get lucky. That ignores the fact you have to have root in the first place to even look at /etc/shadow, which is why I smell troll.

A virus that has to be run as root to crack passwords isn't very interesting. It can already do whatever it wants.

I should point out a slight error in my last post: to defeat a salted password implementation, assuming no algorithm weaknesses, you need two rainbow tables: a 16^2*n (where n is the number of nibbles generated by the hash, 32 for MD5) and a normal rainbow table for the actual password. And that's assuming only one round: the difficulty can be increased expotentially simply by raising the number of rounds and using a new salt in each round.

If that is true then I should had to do something different, but I haven't had to do that yet... It is suppose to be 5 times in 6 months. I had to reinstall about 8 or 9 times in one 6 month period...

I'm suprised, that you use your name Aurora...

later...
Lisa...

I'm surprised, in fantasy land everything is possibly, but you decided to take your pipe dreams into the real world.

Code or complete explanation or you are just FOS.

LordHunter:
What is ACL? And thaks for correcting me on the root account thing :) (Linux lets me learn something new everyday)

LordHunter:
What is ACL?Access Control List. Instead of having fixed user, group and world permissions, you have a list of user/groups and the permissions they have.

Linux supports ACLs assuming you enable them on your FS and use the right tools. The difference is NTFS only uses ACLs.

Has the same model as Windows and Linux. That being said, their implementation of a lot of things is far superior. It's also worse in a lot of areas, especially on the desktop.

No, it doesn't, in fact, the differences are huge, the security thinking is what makes OpenBSD no1 all categories when it comes to security BAR NONE.

It doesn't use the same policies and it doesn't use the same implementations at the same levels, it uses a security model that is completely different from either Windows or Linux.

Having been involved in the development in OpenBSD as well as the implementations in the various EU criticals i suggest you back that up with factual information.

And i may suggest that you only only do bring up things you are ABSOLUTELY sure of or i will tear you a new one while explaining to this community what a complete and utter idiot you are.

No holds barred, you'll like that i'm sure as you have no problems dishing it out.

Having been involved in the development in OpenBSD as well as the implementations in the various EU criticals i suggest you back that up with factual information.It's DAC. DAC is DAC is DAC is DAC. Limited users cannot bypass checks and root can bypass all security checks he wishes, with the minor exception of the security level only going up, not down.

Linux has the same functionality on a more flexible basis with IRIX capabilities: you can strip privileges out of any process permamently.

It doesn't offer any more finer-grained modeling or containment than any other DAC system. It's not MAC, like Trusted Solaris, Trusted HP-UX, OpenVMS, or Linux with SELinux.

And i may suggest that you only only do bring up things you are ABSOLUTELY sure ofI am. It's trivial to prove OpenBSD is a DAC system, which is what I said. It doesn't use a different model than Linux or Windows or just about every other operating system on the planet.

Where it does differ is that they've done a good job of limited privilged code to the bare minimum necessary. Which is important, no doubt, and can limit the damage done by a compromise.

or i will tear you a new one while explaining to this community what a complete and utter idiot you are.Sure, but you're already at a disadvantage seeing as you've provided no support besides a false appeal to authority.

Access Control List. Instead of having fixed user, group and world permissions, you have a list of user/groups and the permissions they have.

Linux supports ACLs assuming you enable them on your FS and use the right tools. The difference is NTFS only uses ACLs.

And ACL's is actually a vulnerability instead of having it tied to the individual file.

You see, compromise an ACL and you have access to all files it concerns, compromise one file and you only have acces to that file.

ACL's is basically a windows invention because the file permissions are lacking, linux supports it because of ntfs compatability and not really for anything else.

No, it doesn't, in fact, the differences are huge,What differences are there in the security model as compared to Linux? Root can do anything (including bypass the checks), limited users cannot. That's DAC.

the security thinking is what makes OpenBSD no1 all categories when it comes to security BAR NONE.Nope. It doesn't. Having MAC is a very useful thing in many situations, and OpenBSD does not provide it.

It doesn't use the same policies and it doesn't use the same implementations at the same levels, it uses a security model that is completely different from either Windows or Linux.Describe it then. In great detail. How is it different? How do I enforce, all the time, without any way to override, root code to not have all privileges?

You can't. You can optionally do so (i.e., DAC) but you cannot enforce it all the time. It's not a MAC system. It uses the same model.

And ACL's is actually a vulnerability instead of having it tied to the individual file.Except it's not because you can do file-granularity permissions on both platforms.

You see, compromise an ACL and you have access to all files it concerns, compromise one file and you only have acces to that file.That makes no sense. One doesn't compromise files, they compromise user accounts. And in either case, you have access to every file that account does. Having an ACL doesn't change that, unless you can't apply ACLs on a fine enough granularity. And you can, so that's not the case.

ACL's is basically a windows invention because the file permissions are lacking,Hardly, seeing as ACLs have been around way longer (OpenVMS and eariler) and there's multiple standards, including a POSIX one.

linux supports it because of ntfs compatability and not really for anything else.Nope, Linux doesn't support NTFS ACLs. It supports POSIX ACLs, and several filesystemes do.

And you're the one claiming you're going to dish it out. :rolleyes: First false claims and now basic technical errors.

It's DAC. DAC is DAC is DAC is DAC. Limited users cannot bypass checks and root can bypass all security checks he wishes, with the minor exception of the security level only going up, not down.

Linux has the same functionality on a more flexible basis with IRIX capabilities: you can strip privileges out of any process permamently.

It doesn't offer any more finer-grained modeling or containment than any other DAC system. It's not MAC, like Trusted Solaris, Trusted HP-UX, OpenVMS, or Linux with SELinux.

I am. It's trivial to prove OpenBSD is a DAC system, which is what I said. It doesn't use a different model than Linux or Windows or just about every other operating system on the planet.

Where it does differ is that they've done a good job of limited privilged code to the bare minimum necessary. Which is important, no doubt, and can limit the damage done by a compromise.

Sure, but you're already at a disadvantage seeing as you've provided no support besides a false appeal to authority.

Have you ever even looked at the OpenBSD security model?

I'm not even going to dignify that with a response until you do and apologize for being completely ignorant and a troll to boot.

You can continue to think that you know everything, my personal guess is that you are 18, have read bits and pieces of a lot of things and assume most things, in any case, it's obvious that you do not understand one bit of what you are talking about here.

Have you ever even looked at the OpenBSD security model?Yes, I have. It's DAC: root can do as he/she pleases, regular users cannot.

Just like Linux. Just like Windows. Just like FreeBSD. Just like Solaris.

If you care to prove me wrong, then site documentation or examples showing htat's no the case.

I'm not even going to dignify that with a response until you doI have. I've run every version of OpenBSD at some point. I actually prefer it for firewalling, as PF is a superior tool to iptables for most operations.

and apologize for being completely ignorantI'm not the one making gross technical, logical, and historical errors.

and a troll to boot.You're the one who started with the personal attack, not I.

You can continue to think that you know everything,I don't. I've posted many times I don't and am wrong everyday.

my personal guess is that you are 18,Wrong.

have read bits and pieces of a lot of things and assume most things,Nope. It's readily apparent in this thread I'm asuming very little.

in any case, it's obvious that you do not understand one bit of what you are talking about here.If it is, then provide technical and logically valid support for your position. You're claiming the model is different. If it really is, it should take you only a few moments to site some links that support that. Your inability to move beyond tautologies is sad, typical, and fustrating.

Just a reminder personal attacks have no place in debates :)

Except it's not because you can do file-granularity permissions on both platforms.[/QUTOE]

Except it is because it applies equally to a number of files while on access file controls only applies to one file.

And what you CAN do if you'd be willing to make it hard for yourself and easy for a hacker on Linux is what is default in windows.

[QUOTE]That makes no sense. One doesn't compromise files, they compromise user accounts. And in either case, you have access to every file that account does. Having an ACL doesn't change that, unless you can't apply ACLs on a fine enough granularity. And you can, so that's not the case.[QUOTE]

You seriously cannot be that dense, i don't think you are, you do realize that compromising file access is definently a goal of any virus inventor?

[QUOTE]Hardly, seeing as ACLs have been around way longer (OpenVMS and eariler) and there's multiple standards, including a POSIX one.

And yet they are not implemented in OpenSolaris, *BSD or Linux or any sane modern OS except for XP.. Gee, i wonder why.

Nope, Linux doesn't support NTFS ACLs. It supports POSIX ACLs, and several filesystemes do.

ARGH, no, Linux doesn't have full support for NTFS yet but they do keep the ACL around for just that, everything else using ACL's is dead by now.

And you're the one claiming you're going to dish it out. :rolleyes: First false claims and now basic technical errors.

You are good at that, just making claims, that they are all wrong doesn't seem to bother you much.

Yes, I have. It's DAC: root can do as he/she pleases, regular users cannot.

Just like Linux. Just like Windows. Just like FreeBSD. Just like Solaris.

If you care to prove me wrong, then site documentation or examples showing htat's no the case.

I have. I've run every version of OpenBSD at some point. I actually prefer it for firewalling, as PF is a superior tool to iptables for most operations.

I'm not the one making gross technical, logical, and historical errors.

You're the one who started with the personal attack, not I.

I don't. I've posted many times I don't and am wrong everyday.

Wrong.

Nope. It's readily apparent in this thread I'm asuming very little.

If it is, then provide technical and logically valid support for your position. You're claiming the model is different. If it really is, it should take you only a few moments to site some links that support that. Your inability to move beyond tautologies is sad, typical, and fustrating.


I can't belive i've replied to this troll, off with you under the bridge with your flask, don't ask how i know, it's fairly obvious.

LinuxSwede, LordHunter: calm down lets not start a flame war here.
LinuxSwede, would you care to explain OpenBSD security model? You don't have to be too detailed about it but anything more than "It's a different and much more secure model, cuz I said so" will be quite good.

Except it is because it applies equally to a number of files while on access file controls only applies to one file.No, it doesn't. I can apply a unique set of ACLs to a file if I choose to do so, on both platforms. You can stop parent ACL propogation at any level. The setfactl(1) manpage shows you're wrong: The --set and --set-file options set the ACL of a file or a directory. The previous ACL is replaced. ACL entries for this operation must include permissions.

In windows, go to the advanced security dialog and simply uncheck 'Inherit from the parent the permissions entries that apply to child objects. Include these with entries explicitly defined here.'

Yes, ACLs applied to a directory are inherited by newly created children by default. File group owernship can be too, you know. The point is: it's trival to change either and end up with file-level granularity.

i don't think you are, you do realize that compromising file access is definently a goal of any virus inventor?Yes, and that's done by gaining account credentials. That's what's used to implement security checks BTW: the user/group account credentials.

And yet they are not implemented in OpenSolaris, *BSD or Linux or any sane modern OS except for XP.. Gee, i wonder why.Wrong, wrong and wrong on all counts. Linux supports them, Solaris supports them, FreeBSD supports them.

Trivial google searches will prove that in all cases.

but they do keep the ACL around for just that, everything else using ACL's is dead by now.Then why on an ext3, reiserfs, JFS, or XFS filesystem can I enable and use POSIX ACLs?

You are good at that, just making claims, that they are all wrong doesn't seem to bother you much.Your claims are easy to defeat:
EXT3 ACLs (http://acl.bestbits.at/about.html)

They're not NTFS ACLs. Read the POSIX drafts linked on that page.

Recommended reading for the resident troll.

http://www.openbsd.org/books.html

I can't belive i've replied to this troll, off with you under the bridge with your flask, don't ask how i know, it's fairly obvious.:rolleyes: Reported for trolling. You were warned to stop the personal attacks and asked to provide substantation, you've failed to both.

No, it doesn't. I can apply a unique set of ACLs to a file if I choose to do so, on both platforms. You can stop parent ACL propogation at any level. The setfactl(1) manpage shows you're wrong:

Yet that doesn't matter because it is NEVER implemented in any system except Win where it is default.

In windows, go to the advanced security dialog and simply uncheck 'Inherit from the parent the permissions entries that apply to child objects. Include these with entries explicitly defined here.'

In any other OS, do nothing.

Yes, ACLs applied to a directory are inherited by newly created children by default. File group owernship can be too, you know. The point is: it's trival to change either and end up with file-level granularity. not only CAN they be, the ARE and if you have done ANY work as a security advisor, you'd know that.

Yes, and that's done by gaining account credentials. That's what's used to implement security checks BTW: the user/group account credentials.

[QUOTE]Wrong, wrong and wrong on all counts. Linux supports them, Solaris supports them, FreeBSD supports them.

They are not implemented by default and will not be implemented unless the sysadm is a ******* nut and you KNOW THAT, wth are you even arguing that point for, and no, OpenBSD does not, which is my recommendation.

Trivial google searches will prove that in all cases.

Then why on an ext3, reiserfs, JFS, or XFS filesystem can I enable and use POSIX ACLs?

Your claims are easy to defeat:
EXT3 ACLs (http://acl.bestbits.at/about.html)

They're not NTFS ACLs. Read the POSIX drafts linked on that page.

These are ALL compliant with posix and do have ACL support, now tell me, which of thes FS's is the ONLY one that implements it.

Kthxbye.

:rolleyes: Reported for trolling. You were warned to stop the personal attacks and asked to provide substantation, you've failed to both.

A troll is a troll is a troll, you are dishonest, you claim that something IS as vulnerable because it could be implemented yet it never is implemented.

Give me a current figure of ANY other OS that runs an ACL aware FS, what is that 0% and with win you have no choice, its 100%.

Now get why what you wrote was a troll and get back under the bridge with that flask.

Yet that doesn't matter because it is NEVER implemented in any system except Win where it is default.Yes, they are. They may not be enabled by default, but they're certainly implemented.

And I've deployed several Linux and OpenVMS systems where ACLs were an integral part of the system security. You know not of what you speak.

not only CAN they be, the ARE an if you have done ANY work as a security advisor, you'd know that.What? This is a non-sequitur. You were the one previously claiming ACLS cannot be applied on a per-file basis, so which one is it now?

They are not implemented by default and will not be implemented unless the sysadm is a ******* nut and you KNOW THAT,They're not under a POSIX system because of how the ACLs work: they're supplementary, not a replacement. As such, it makes no sense to have any ACLs by default unless you actually need them. Thus far, no Linux system has needed them OOB, which really makes sense.

Windows doesn't need them either, but it doesn't have traditional UNIX file permissions, so you have to use them.

wth are you even arguing that point for,Because you stated it and you were incorrect. You opened this door, so you can take the consequences.

and no, OpenBSD does not, which is my recommendation.Non-sequitur by irrelevance, and I never claimed it did.

These are ALL compliand with posix and do have ACL support, now tell me, which of thes FS's is the ONLY one that implements it.They all do. I think you don't understand what the word "implements" means.

A troll is a troll is a troll, you are dishonest, you claim that something IS as vulnerable because it could be implemented yet it never is implemented.Where did I make any such claim?

Give me a current figure of ANY other OS that runs an ACL aware FS, what is that 0% and with win you have no choice, its 100%.OpenVMS.

Any Linux that supports any of the filesystems i mentioned.

Yes, they are. They may not be enabled by default, but they're certainly implemented.

And I've deployed several Linux and OpenVMS systems where ACLs were an integral part of the system security. You know not of what you speak.

Yeah, i guess my 20 years in this industry means nothing, do they, the only reason you implemented ACL's were because it was a new posix standard at the time, i know, others did to, and they, like you, don't know shiat about security.

What? This is a non-sequitur. You were the one previously claiming ACLS cannot be applied on a per-file basis, so which one is it now?

No, i'm claiming that they are NOT used at ALL unless using the concept of a win environment, seriously OpenVMS in as is graniour, it does not IMPRESS ME. stop acting like you know it all and start talking about the real deal.

They're not under a POSIX system because of how the ACLs work: they're supplementary, not a replacement. As such, it makes no sense to have any ACLs by default unless you actually need them. Thus far, no Linux system has needed them OOB, which really makes sense.

Wow, isn't THAT irrelevant? The point is, where are they implemented and where are they not, again look at OpenBSD.

Windows doesn't need them either, but it doesn't have traditional UNIX file permissions, so you have to use them.

Which is a basic point, Unix has the ability without using it and windows doesn't and if using a list isn't more vulnerable (since compromising the list would give you default access to anything on the list) than a per file authority (which would give you the acces to user Y's ro hidden porn archive) then i don't know how you define security, at least i can tell you that none of the people i have worked with and none of the security models i have worked on have EVR implemented any of your standars, and the users are oh so thankful for that.

Because you stated it and you were incorrect. You opened this door, so you can take the consequences.

Non-sequitur by irrelevance, and I never claimed it did.

They all do. I think you don't understand what the word "implements" means.

no, i was correct, and you keep on arguing while point by point you give me the credit for being correct, is that how you do that without losing face?

I'm telling you that OpenBSD is my recommendation (and i should know, i even gave you a hint why), NOW, since you have obviously learned why your premises were wrong, tell me again.

OpenBSD, the security model and the defaults, how is it different, it is, read up.

Where did I make any such claim?

Surely you jest?

[QUTOE]OpenVMS.[/QUOTE]

Well congrats on bringing an OS that next to no one uses anymore into the discussion, it's SO very relevant.

Any Linux that supports any of the filesystems i mentioned.

Yet it takes out of the ordinary changes to make it into an ACL compliant system with ANY distro and it's impossible with OpenBSD which is what i awa talking about.

YAY for you.

Now, show me again where OpenBSD does the same thing or just admit that before you checked it out tonicht, you didn't even have a clue what it was, you thought it was just another version of FreeBSD.

I know and dismiss your type at work every day.

Lemme get this straight, according to your line of thought everything is eqally vulnerable since most things CAN be implemented (though only a thoroug moron would)?

Relate that to OpenBSD.

I'd like to see it if you don't mind, because quite frankly, i was impressed with your knowledge about the CPU modes but i have been fairly unimpressed about the ring communication knowledge so far.

Yeah, i guess my 20 years in this industry means nothing, do they, the only reason you implemented ACL's were because it was a new posix standard at the time,Seeing as the OpenVMS ACLs aren't POSIX, this is a non-sequitur.

Seeing as the Linux deployment was withing this year, it is also a non-sequitur.

i know, others did to, and they, like you, don't know shiat about security.Your technical errors don't amuse me and belittle your claims about what I do and do not know. Where's the documentation I've asked you to site?

No, i'm claiming that they are NOT used at ALLBy default. If you create them, they're enforced. Do I need to walk through a shell session as proof? I can do so, if you really desire.

unless using the concept of a win environment, seriously OpenVMS in as is graniour, it does not IMPRESS ME.I'm not using it to be graniour[sic].

stop acting like you know it all and start talking about the real deal.I am. I've even cited the authortative online Linux source as proof, and pointed out where google would support my claims quickly and trivally. You've done neither.

The point is, where are they implemented and where are they not, again look at OpenBSD.And they're implemented in every operating system I've mentioned.

and if using a list isn't more vulnerable (since compromising the list would give you default access to anything on the list)What the hell do you mean by "compromising the list"? If you have permissions that an ACL grants you, then yes, you can access the file.

Which is no different from traditional UNIX file permissions. If I compromise a daemon running as 'myapp', then I can access every file the user 'myapp' can. Doesn't matter if I assigned those permissions using chmod or an ACL.

than a per file authority (which would give you the acces to user Y's ro hidden porn archive)You've yet to show how you cannot grant per-file granularity, and I've shown how you can on both platforms. I can create a file in a shared space (say, /tmp) and then with an ACL, revoke all access on that file to everyone except root. That ACL will be enforced.

Here, everyone can try it at home. Mount /tmp with the acl mount option, if necessary (it is for ext3. It is not for XFS). Create a second user, called test. As your normal user, run the following commands:cd /tmp
touch file1 file2
chmod 000 file1 file2
setfacl -m 'm:r,test:r' file1Then, as user test:cat /tmp/file1This should return nothing, but no error. Then:cat /tmp/file2should return:cat: /tmp/file2: Permission deniedClearly, ACLs can be applied on a per-file basis, and they're actually enforced.

the people i have worked with and none of the security models i have worked on have EVR implemented any of your standars,What security modles have you worked with then? I know for a fact that's a lie because NIST evaluates Windows and Linux to the same model, and Windows mandates ACLs. Proof by contradiction. This can be verified at the NIST common criteria site for anyone who's interested.

no, i was correct,Provide documentation showing OpenVMS, Linux, Solaris, and FreeBSD don't support ACLs then.

I'm telling you that OpenBSD is my recommendation (and i should know, i even gave you a hint why),Not in a logically valid way. Appealing to your 20-years experience and having developed for OpenBSD is an invalid appeal to authority.

NOW, since you have obviously learned why your premises were wrong, tell me again.You've provide no logical reasoning as to why my premises are wrong.

OpenBSD, the security model and the defaults, how is it different, it is, read up.Provide me documenation so I can. A list of books that OpenBSD themselves recommends is insufficent. You've been even given specific claims to disprove and haven't.

Surely you jest?

[QUTOE]OpenVMS.[/quote]How is my introduction OpenVMS into the argument proof of your claim that I:A troll is a troll is a troll, you are dishonest, you claim that something IS as vulnerable because it could be implemented yet it never is implemented.(emphasis mine).

This is a terrible, terrible non-sequitur. I'm not even sure what you're trying to claim or disprove at this point.

Well congrats on bringing an OS that next to no one uses anymore into the discussion, it's SO very relevant.It's still used, it just has small marketshare. If we're excluding based on marketshare guess Linux is out too, as is OpenBSD, right?

Nope. You're attemptign to commit a fallacy of exclusion, and it won't fly. You have to show why it's irrelvant to this discussion. Simply being uncommon isn't sufficent reasoning.


Yet it takes out of the ordinary changes to make it into an ACL compliant system with ANY distroNo, it doesn't. SuSE supports them OOB.

and it's impossible with OpenBSD which is what i awa talking about.No, you werent'. You originally claimed ACLs are less secure than traditional file permissions, then tried to claim no operating system besides Windows uses them.

Now, show me again where OpenBSD does the same thing I never did, because I know it doesn't. Nor did I ever claim I did, because that would be a factual error.

or just admit that before you checked it out tonicht,Need a picture of me holding pressed OpenBSD 3.5 CDs? They're in this room somewhere.

I know and dismiss your type at work every day.I'll leave it to the discerning reader to determine who should be dismissed as incorrect here.

Lemme get this straight, according to your line of thought everything is eqally vulnerable since most things CAN be implemented (though only a thoroug moron would)?I never made any such claim.

but i have been fairly unimpressed about the ring communication knowledge so far.What ring communication? Non-sequitur, again.

How is my introduction OpenVMS into the argument proof of your claim that I:(emphasis mine).[/QUOTE]

Flask getting empty, i have no clue what you intended to say here.

This is a terrible, terrible non-sequitur. I'm not even sure what you're trying to claim or disprove at this point.

No it isn't it is something that CAN be implemented by someone with less brains vs something implemented by default, i know you love to scream "non-sequitur" but to do so and never explaining why only makes you a troll.

It's still used, it just has small marketshare. If we're excluding based on marketshare guess Linux is out too, as is OpenBSD, right?

And it has WHAT to do with either Ubuntu (which is this forum) or my recommendation that is OpenBSD.

Nope. You're attemptign to commit a fallacy of exclusion, and it won't fly. You have to show why it's irrelvant to this discussion. Simply being uncommon isn't sufficent reasoning.[/QUOTE

Well my recommendation was WHAT? This forum is about WHAT distro? I have yet to talk about anything but Ubuntu and OpenBSD yet you circumvent it to get your way, typical trollish behaviour.

[QUOTE]No, it doesn't. SuSE supports them OOB.

Yeah, since this isn't a Suse (and it's Suse and not SuSE these days, hell you can't even get the name of the irrelevant distro right, how pathetic is that) forum and i never recommended anything but OpenBSD that is hardly relevant, i will say this though, there is support but you'll have to actively use it and by default, you won't.

No, you werent'. You originally claimed ACLs are less secure than traditional file permissions, then tried to claim no operating system besides Windows uses them.

I still claim that no system i mentioned use them, i still claim they do make a sustem more vulnerable, you know that it's true.

I never did, because I know it doesn't. Nor did I ever claim I did, because that would be a factual error.

Perhaps you missed the part where i sayd that OpenBSD was different and you said it was not?

Need a picture of me holding pressed OpenBSD 3.5 CDs? They're in this room somewhere.

Yes, but right now. post it.

I'll leave it to the discerning reader to determine who should be dismissed as incorrect here.

Yeah, since you said that OpenBSD was the same, and i said it was not, now you agree it was not, and you've been continously wrong on most things, yeah, let's leave it up to the reader.

if you ever get off your high horse and step down to us mere mortals you might learn that you should actually know before you speak, you claimed to have knowledge about OpenBSD yet you had to back down on that, you claimed to have knowledge on Linux yet you had to back down on that, you say you have knowledge on OpenVMS, i haven't used it, but i'm pretty sure that if i were to check it out, you'd have to back down on that to.

IOW, at best, you are a sad fraud with one point, at worst, you're just a sad fraud.

Seeing as the OpenVMS ACLs aren't POSIX, this is a non-sequitur.

Yah, since you are the ONLY one in this entire forum that mentions that OS your entire brain is non-sequitur.

What security modles have you worked with then? I know for a fact that's a lie because NIST evaluates Windows and Linux to the same model, and Windows mandates ACLs. Proof by contradiction. This can be verified at the NIST common criteria site for anyone who's interested.

I saved this little gem just because it's so amusing, Windows mandats ACLSs, do any Linux distros or ANY linux implementations you know of mandate ACL's?

I just saved this little gem so everyone can laugh at the troll.

Provide documentation showing OpenVMS, Linux, Solaris, and FreeBSD don't support ACLs then.

It's cute since what my recommendation was NONE of the systems but OpenBSD, it's a thightly locked highly secured system that does NOT implement ACL's by among others, my own recommendations.

Not in a logically valid way. Appealing to your 20-years experience and having developed for OpenBSD is an invalid appeal to authority.

You've provide no logical reasoning as to why my premises are wrong.

Provide me documenation so I can. A list of books that OpenBSD themselves recommends is insufficent. You've been even given specific claims to disprove and haven't.

And you appeal to links not even concerning OpenBSD and claim that my books and my experiences while developing the system are invalid appeals to authority.

You are pathetic.

You are pathetic.
Please stop with the personal attacks, You have been asked more than once. Reported.

OK can I get some actual information here? LinuxSwede, you have recommended OpenBSD for security purposes. Why is it more secure than Linux, or even FreeBSD (you don't directly say it but it is implied). I can understand that you might not have the time to type out a lengthy explanation but a more specific link would be good (the book list would take way too long to go through).
And both of you chill, for crying out loud if it were IRL you'd be settling it at 10 paces by now.

Flask getting empty, i have no clue what you intended to say here.You response to my claim that I haven't: A troll is a troll is a troll, you are dishonest, you claim that something IS as vulnerable because it could be implemented yet it never is implemented.Was:Originally Posted by LinuxSwede
Surely you jest?

[QUTOE]OpenVMS.The posting history shows this cycle of events.

I was the one who originally claimed nonsense. How does introducing OpenVMS in any way make a claim that soomething is vulnerable because something could be implemented? It doesn't.

No it isn't it is something that CAN be implemented by someone with less brains vs something implemented by default,What are you talking about? This is a non-sequitur. I never said anything of the sort.

i know you love to scream "non-sequitur" but to do so and never explaining why only makes you a troll.I do explain so. If in any instance i fail to specifically say "Non-sequitur by specific fallacy," then I probably explained in the previous sentence, or the statement made was totally nonsensical and I couldn't figure out what was being said.

And it has WHAT to do with either Ubuntu (which is this forum) or my recommendation that is OpenBSD.It has nothing to do with it. You tried to exclude VMS based on marketshare and my counter is that your argument falls apart if you do so, because we must exclude everything but Windows and possibly RHEL.

It doesn't have to be relevant to overall subject of this forum or your long ancient, irrelevant recommendation. Trying to suggest either is a fallacy by exclusion.

Well my recommendation was WHAT?Non-sequitur by irrelevance. We weren't talking about OpenBSD, you were trying to exclude OpenVMS from the discussion on grounds of marketshare.

This forum is about WHAT distro?Also non-sequitur by irrelevance. Where the debate is being held has no say on it's logical content.

I have yet to talk about anything but Ubuntu and OpenBSDLies:ACL's is basically a windows invention because the file permissions are lacking(emhpasis mine). Proof by contradiction.

yet you circumvent it to get your way, typical trollish behaviour.And you're lying about your previous posts, which isn't just trollish, it's rather silly since anyone can see what you wrote previously.

Yeah, since this isn't a Suse (and it's Suse and not SuSE these days, hell you can't even get the name of the irrelevant distro right, how pathetic is that) forumHow is this the this isn't a Suse forum relevant? Your statement was: Yet it takes out of the ordinary changes to make it into an ACL compliant system with ANY distro(bold emphasis mine). You introduced ANY distro into the discussion via that statement. I gave a simple counterexample that shows your claim to be logically false. Try as you might, but the fact this is a Ubuntu forum has no relevance here.

i will say this though, there is support but you'll have to actively use it and by default, you won't.So I'll take it you're abandoing your previous ACL position? I never denied you had to add ACLs on UNIX manually, so we're in agreement there.

I still claim that no system i mentioned use them,Yet the ones I mentioned do.

i still claim they do make a sustem more vulnerable, you know that it's true.No, I don't. Explain how they do, given the fact you apply them on a per-file basis.

People far smarter than you and I, like NIST, disagree with you.

Perhaps you missed the part where i sayd that OpenBSD was different and you said it was not?I said the security model was not different. I never said it uses ACLs. The difference between those two statements should be patently obvious.



Yes, but right now. post it.

Yeah, since you said that OpenBSD was the same,I said it had the same model. I even at the beginning said the implementation was quite different, that would include lack of ACLs.

and i said it was not, now you agree it was not,I've agreed to nothing of the sort.

and you've been continously wrong on most things,Your the one who's statements can be disproven with trivial google searchs. I've yet to see one external reference for any of your claims.

If ACLs are less secure, where is the external documentation? If OpenBSD uses a different model, where is the external documentation? Specific papers, books, or websites. Preferable at least one of the latter if you're going to site hardcopy texts.

if you ever get off your high horse and step down to us mere mortals you might learn that you should actually know before you speak, you claimed to have knowledge about OpenBSD yet you had to back down on that,I haven't done anything of the sort.

you claimed to have knowledge on Linux yet you had to back down on that,I've done nothing of the sort.

you say you have knowledge on OpenVMS, i haven't used it, but i'm pretty sure that if i were to check it out, you'd have to back down on that to.Feel free. All (and I mean ALL) the documentation for VMS 8 is on HP's website. A quick google search should get you their hompage.

Please stop with the personal attacks, You have been asked more than once. Reported.

How about no, in the case of security, misinformation is worse than NO information and read his arguments, i brought up OpenBSD as the recommendation, he started out mentioning how it wasn't any different, ever since that post he has mentioned every other distro except that one because i was right from the start.

And yeah, i truly don't give a damn if you ban me over this, i respected the man for his explanations in the first post and told him so, he should have taken his own advice and not wander into topics he has no clue about.

Yah, since you are the ONLY one in this entire forum that mentions that OS your entire brain is non-sequitur.No, that's not true. This is a mere personal attack. Just because something is uncommon doesn't make it invalid reference, especially when it can be extremely trivally researched online.

do any Linux distros or ANY linux implementations you know of mandate ACL's?No, but why would they? With ownership permissions, they're not necessary.

I just saved this little gem so everyone can laugh at the troll.

It's cute since what my recommendation was NONE of the systems but OpenBSD,Yet you generalized about other operating systems, and I've pointed those points out in previous posts.

it's a thightly locked highly secured system that does NOT implement ACL's by among others, my own recommendations.Oh, and if you're an OpenBSD developer, what's your CVS username/password so I can verify? Alternatively, a post to the source-changes@ mailing list with your name and email address proving you've actually contributed code.

You'll find if you look in their bugzilla repository under my real name (Adam Skutt) that i have filed bugs before, and if you look on misc@ and tech@, you'll find my email (askutt@wnec.edu) in a few posts. All of which is trivally verifiable by google.


And you appeal to links not even concerning OpenBSD and claim that my books and my experiences while developing the system are invalid appeals to authority.

And you appeal to links not even concerning OpenBSD and claim that my books and my experiences while developing the system are invalid appeals to authority.The books aren't, but I don't have them on hand. At anyrate, you'd do better if you sited specific books, chapters and sections that support your argument. That gives me a much eaiser time of finding what I need when I go the library. I'm certainly not going to research your argument for you.

Your experience is presently invalid because you have provided no proof you actually have any. So as I said, pony up the details. In a private message if you don't feel like posting them here.

OK can I get some actual information here? LinuxSwede, you have recommended OpenBSD for security purposes. Why is it more secure than Linux, or even FreeBSD (you don't directly say it but it is implied). I can understand that you might not have the time to type out a lengthy explanation but a more specific link would be good (the book list would take way too long to go through).
And both of you chill, for crying out loud if it were IRL you'd be settling it at 10 paces by now.

Well the entire system is set up with whitelist defaults, if you want something you'll have to whitelist it, it doesn't support ACL's, it has PF which is the best firewall solution OOB to date.

Its a tightly locked down system.

My anger about this guy is about him spreading misinformation which, when it comes to security is worse than NO information, i followed his progress through this thread and he's made a LOT of good comments, but in this case, he doesn't have a clue, yet he keeps arguing.

in the case of security, misinformation is worse than NO information and read his arguments, i brought up OpenBSD as the recommendation, he started out mentioning how it wasn't any different, ever since that post he has mentioned every other distro except that one because i was right from the start.

Aggreed, however if the information gets gunked down by the fact that the mods need to step in, or there is to many stuf you's and the like, then its no good to anyone.

ever since that post he has mentioned every other distro except that one because i was right from the start.Only when you introduced them. I'm not the one wondering from your claimed topic. Show me where I introduced another distribution or operating system when you didn't make a general claim or talk about other things first.

he should have taken his own advice and not wander into topics he has no clue about.You're the one not supporting your position, not me.

If anything, you should be banned for cross-thread trolling. I could care less about the personal attacks, it's the inablity to substantiate and doubling-back on your previous statements that irritate me. The personal attacks are just icing on the cake, really.

Well the entire system is set up with whitelist defaults, if you want something you'll have to whitelist it, it doesn't support ACL's, it has PF which is the best firewall solution OOB to date.No of which change my original claim:OpenBSD is a DAC system.

i followed his progress through this thread and he's made a LOT of good comments, but in this case, he doesn't have a clue, yet he keeps arguing.I'll reiterate I have external support, you haven't posted any specific external support yet.

I just spent 3 hours reading this entire thread...

LinuxSweed, you are a troll. The personal attacks and post after post of outright wrong facts and rediculous conclusions demonstrates this. Virtually everything that you have said in the last several posts has been factually wrong, as Lord Hunter has shown.

While I disagree with a few fine points he has made, Lord Hunter has carried out a fine debate and supported his points well, which on the whole, I agree with.

Most of the argument here can be summed up as such:

The default policies of windows and typical use cases may be insecture, but the OS is not broken by design, and the security model it uses is mostly the same as linux.

And both of you chill, for crying out loud if it were IRL you'd be settling it at 10 paces by now.
And what better place for that than The Backyard (http://ubuntuforums.org/forumdisplay.php?f=121)?

I just hope they don't get any blood in the pool...

While I disagree with a few fine points he has made,Curious: Which ones?

Most of the argument here can be summed up as such:

The default policies of windows and typical use cases may be insecture, but the OS is not broken by design, and the security model it uses is mostly the same as linux.Precisely. The default configuration is far from ideal. But I can leverage that against a bunch of Linux distros too (Ubuntu is one that does an awesome job, FWIW). OpenBSD has a great OOB configuration for servers, something I won't deny. It also implements better code seperation that helps to greatly limit the negative effects of an exploit, for most things.

It also doesn't change the fact they all implement the same model, and support roughly the same amount of control and granularity. The differences aren't generally relevant, to say the least.

No, that's not true. This is a mere personal attack. Just because something is uncommon doesn't make it invalid reference, especially when it can be extremely trivally researched online.

NOBODY IS DISCUSSING OPENVMS BUT YOU IN THIS THREAD, NOBODY MENTIONED IT, IT'S NOT PART OF THE DISCUSSION!


Oh, and if you're an OpenBSD developer, what's your CVS username/password so I can verify? Alternatively, a post to the source-changes@ mailing list with your name and email address proving you've actually contributed code.

No, actually if you had read my posts you would have understood that i have been an OpenBSD developer, lol, i really don't need you to verify it and i really wouldn't trust you with it. I'll make a post on the OpenBSD mailing list, you can read it there and of course, name and email needs to be included, you dan search the archives for my contributions and announcements.

You'll find if you look in their bugzilla repository under my real name (Adam Skutt) that i have filed bugs before, and if you look on misc@ and tech@, you'll find my email (askutt@wnec.edu) in a few posts. All of which is trivally verifiable by google.

I don't doubt that you are a very knowledgable guy, i did say that in my first post in this thread, when it comes to general security you don't have a clue though, that is why you have to jump to an obscure OS like OpenVMS, you know that.

You know some stuff about some stuff but assumed stuff and probably read up on it and realized that you were wrong about it and then jumped out of it, you have not ONCE referred to OpenBSD since that post, not in ANY of your later posts and we both know why.

You have lots of rights in this thread, this is one wrong, just swallow it and move on.

Aggreed, however if the information gets gunked down by the fact that the mods need to step in, or there is to many stuf you's and the like, then its no good to anyone.

You're right and i'll leave it at this, i provided the links and the information, it's up to readers to look it up.

Take care.

I just spent 3 hours reading this entire thread...

LinuxSweed, you are a troll. The personal attacks and post after post of outright wrong facts and rediculous conclusions demonstrates this. Virtually everything that you have said in the last several posts has been factually wrong, as Lord Hunter has shown.

While I disagree with a few fine points he has made, Lord Hunter has carried out a fine debate and supported his points well, which on the whole, I agree with.

Most of the argument here can be summed up as such:

The default policies of windows and typical use cases may be insecture, but the OS is not broken by design, and the security model it uses is mostly the same as linux.


Of course i am, he convieniantly avoided everything having anything to do with OpenBSD after his first post on the matter, he continously argues that OpenVMS is the same but nobody argued anything else.

point out one instance where i was wrong and i will immediately leave this forum, fail and you will have to do just that, is that a deal?

Seriously, if that isn't the definition of trolling, i don't know what is.

NOBODY IS DISCUSSING OPENVMS BUT YOU IN THIS THREAD, NOBODY MENTIONED IT, IT'S NOT PART OF THE DISCUSSION!And I did not introduce it in the discussion about ACLs until you claimed ACLs were a Windows invention.

The sole point of introducing it was to show you were wrong, from a historical POV.

No, actually if you had read my posts you would have understood that i have been an OpenBSD developer,Are, have, makes no difference. If you had been any point, then there would be public proof of that fact. Which you're refusing to provide, so I'm going to assume you actually were wrong.

I'll make a post on the OpenBSD mailing list, you can read it there and of course, name and email needs to be included, you dan search the archives for my contributions and announcements.And how am I supposed to know who you are? The OpenBSD lists are public, after all (well, save for hackers@).

I don't doubt that you are a very knowledgable guy, i did say that in my first post in this thread,Then why did you call me pathetic several times? You can't even keep a completely consistent image of me.

when it comes to general security you don't have a clue though, that is why you have to jump to an obscure OS like OpenVMS, you know that.No, I've barely mentioned OpenVMS. I've only talked about it without speaking about other operating system as well once or twice, which is hardly jumping to an obscure operating system.

, you have not ONCE referred to OpenBSD since that post, not in ANY of your later posts and we both know why.Yes, I have, several times. Do I need to post proof?

You have lots of rights in this thread, this is one wrong, just swallow it and move on.Support your position and maybe I will.

You're right and i'll leave it at this, i provided the links and the information, it's up to readers to look it up.A link to the generic OBSD books section does not qualify as providing information. You've been asked to cite several times, you're being asked to cite again, and you haven't.

Of course i am, he convieniantly avoided everything having anything to do with OpenBSD after his first post on the matter,Nope.

he continously argues that OpenVMS is the same but nobody argued anything else.Nope.

Here's that picture as proof I'm an OpenBSD user and owner. It's of 3.4 (I found it first) and the text is a little hard to read, but you can see it says OpenBSD.

http://www.wnec.edu/~askutt/obsd.jpg

And I did not introduce it in the discussion about ACLs until you claimed ACLs were a Windows invention.

That's great since i never did.

The sole point of introducing it was to show you were wrong, from a historical POV.

That is great since i couldn't be wrong regarding a claim i never made.

I'm not going to bother to respond anymore to you, it's clear to me that you are not interested in discussin security or anything at all, you are interested in twisting things said so that you can be right and that is it.

And i still don't believe you have actually ever done anything useful on an OpenBSD machine, but if you have one nearby, please do so.

If you have any questions, feel free to ask.

That's great since i never did.:rolleyes: Utter nonsense:Originally posted by LinuxSwede in post 152: (http://www.ubuntuforums.org/showpost.php?p=574226&postcount=152)
ACL's is basically a windows invention because the file permissions are lacking, linux supports it because of ntfs compatability and not really for anything else.(emphasis mine). The problem with lying about what you said on the Internet is that everyone has logs.


I'm not going to bother to respond anymore to you, it's clear to me that you are not interested in discussin security or anything at all,You're the one unwilling to support your position, not I. You've yet to externally suport yourself, at all. I've done so many time, far beyond what one should ever have to do, and even against silly personal attacks better left ignored.

And i still don't believe you have actually ever done anything useful on an OpenBSD machine, but if you have one nearby, please do so.And I'd prove it to you how?

I'm not going to bother to respond anymore to you You mean forum members might have to turn to Reality TV to get their entertainment now?

:rolleyes: Utter nonsense:(emphasis mine). The problem with lying about what you said on the Internet is that everyone has logs.


You're the one unwilling to support your position, not I. You've yet to externally suport yourself, at all. I've done so many time, far beyond what one should ever have to do, and even against silly personal attacks better left ignored.

And I'd prove it to you how?

I don't care if you prove it to me, seriously, i really don't care if you use it or not, i just care about it's existance and that people who are involved and cares about security knows it.

Seriously, i've been a bit harsh on you, but still, you're the definition of a troll, you change the issues to what fits your right instead of arguing the issue and admit it when you were wrong.

I'll make you a deal, i'll admit that i made an incorrect statement regerding windows being the inventor of ACL's if you'll admit that no current widespread OS except windows uses by defult and that OpenBSD has to be hacked to use it.

Now, please, let's dwell into what we do the best, looking at your first post in this thread, it's general design for you and personally i'll get back to mine.

You mean forum members might have to turn to Reality TV to get their entertainment now?

LMAO, you're the man dawg!

I don't care if you prove it to me, seriously, i really don't care if you use it or not,Then leave, like you've threatened several times, if you're unwilling to further continue the debate.

Seriously, i've been a bit harsh on you, but still, you're the definition of a troll, you change the issues to what fits your right instead of arguing the issue and admit it when you were wrong.No, you've been doing that. I've responded directly to every point you've raised and supported externally as appropriate. You haven't.

if you'll admit that no current widespread OS except windows uses by defult and that OpenBSD has to be hacked to use it.I can't agree to that because as I said, Suse ships with them enabled by default.

LinuxSweede: Stop. Just stop.

LordHunter: I'm too lazy to trek all the way back though this long thread right now to find them and quote, since really they were just little nit-picks, but one that sticks out in my memory is this:

You basically said that the Administrator account on NT is not really the superuser, SYSTEM is. I suppose that is true if you really want to split hairs, but realistically, whatever rights the administrator account does not have enabled already, he can grant himself, so it amounts to the same thing.

A case in point is that while you can not normally fire up task manager and terminate the winlogon process, you can run process explorer from www.sysinternals.com and grant yourself permission to kill it, then kill it... which causes a BSOD.

You basically said that the Administrator account on NT is not really the superuser, SYSTEM is. I suppose that is true if you really want to split hairs, but realistically, whatever rights the administrator account does not have enabled already, he can grant himself, so it amounts to the same thing. Right, he can grant them. But he doesn't actually run with them, which is the point. SYSTEM always runs with them, AFAIK.

I suppose I wasn't clear enough. Yes, Administrator is effectively root once you run through the grants. Yes, Administrator can do enough damage without doing so, for all intents and purposes.

*shakes head* I'll continue to recommend OpenBSD because of ALL systems i know of, it's the one that is most secure.

This, is windows, is linux, the only way this moron gets to continue his BS about linux is by referring to different distros, seriously, read the thread, he's referring to different distros and when i called him out on specifics he refused to touch that flavor of BSD.

Humor a troll all you like, personally, he's a troll, he doesn't provide misonformation and he never discusses anything, he circumvents every issue by referring to something out of the discussion.

LinuxSweede: Stop. Just stop.

LordHunter: I'm too lazy to trek all the way back though this long thread right now to find them and quote, since really they were just little nit-picks, but one that sticks out in my memory is this:

You basically said that the Administrator account on NT is not really the superuser, SYSTEM is. I suppose that is true if you really want to split hairs, but realistically, whatever rights the administrator account does not have enabled already, he can grant himself, so it amounts to the same thing.

A case in point is that while you can not normally fire up task manager and terminate the winlogon process, you can run process explorer from www.sysinternals.com and grant yourself permission to kill it, then kill it... which causes a BSOD.

I'm just curious about what i should stop doing, asking the man to actually discuss what is discussed in our discussion, you ask if linux is this or that, i can change the root password in any RH but not in Ubuntu, if you ask him he'll refer to RH on an ubuntu forum and you don't see how that is not only dishonest but even foolish?

I said "OpenBSD is the safest"

He said "but OpenVMS" (which is in no shape or form related to OpenBSD)

That's like saying Ubuntu is stable... but hey, it's not because Xenix...

I'll let it rest now though, this continously responding to a troll is getting tiring, even for a jaded man like me.

I'm just curious about what i should stop doing I'd say this: I'm surprised, in fantasy land everything is possibly, but you decided to take your pipe dreams into the real world.

And i may suggest that you only only do bring up things you are ABSOLUTELY sure of or i will tear you a new one while explaining to this community what a complete and utter idiot you are.

I'm not even going to dignify that with a response until you do and apologize for being completely ignorant and a troll to boot.

You can continue to think that you know everything, my personal guess is that you are 18, have read bits and pieces of a lot of things and assume most things, in any case, it's obvious that you do not understand one bit of what you are talking about here.

you are a sad fraud

You are pathetic. You probably have some valid points when you're on topic (I don't know--this discussion's a bit over my head), but sometimes you're letting it get a little too personal.

Offtopic:
aysiu, I think you should mod again, You always had a way with things :( mayble Ill start a thread demanding you back.

You wouldent ban or close just moderate and move

EDIT: I know (was pretty sure) you chose to leave, It would have been a thread demanding that you go back.

mayble Ill start a thread demanding you back. I appreciate the affirmation. Please don't start such a thread, though. I chose to leave. I wasn't asked to leave. Thanks, though.

You keep spouting that line with not one shred of proof to back it up. He most certainly did explain that BSD ( Free, Open, Berkley, whatever ) uses a Discretionary Access Control security model just like windows and linux. Default policies and configurations aside, all those systems use the same security model, and thus, when correctly configured, each is just as secure as the other.

Their default state out of the box is something else entirely, which he never argued. He has however, provided a good deal of correct factual information to back the claims that he has made, but you have made numerous statements of fact that were rediculously wrong and have not even tried to show otherwise, which means you're just making stuff up in an attempt to support your wrong assertion.

For instance, pretty much everything you said about ACLs was absolutely wrong. Lord cited several OSes that support ACLs in pretty much the same ways as windows, some of which existed before windows did. This was all correct. You said that windows invented ACLs and that windows is the only system that uses them, and at least implied that ACLs somehow are a bad thing for security. These could not be further from the truth.

After Lord showed proof that your statements were wrong, you resorted to personal attacks.

Seriously, stop trolling. Either back up your claims with some real proof, or quit repeating them.

*shakes head* I'll continue to recommend OpenBSD because of ALL systems i know of, it's the one that is most secure.

This, is windows, is linux, the only way this moron gets to continue his BS about linux is by referring to different distros, seriously, read the thread, he's referring to different distros and when i called him out on specifics he refused to touch that flavor of BSD.

Humor a troll all you like, personally, he's a troll, he doesn't provide misonformation and he never discusses anything, he circumvents every issue by referring to something out of the discussion.

Update:

I'm just curious about what i should stop doing, asking the man to actually discuss what is discussed in our discussion, you ask if linux is this or that, i can change the root password in any RH but not in Ubuntu, if you ask him he'll refer to RH on an ubuntu forum and you don't see how that is not only dishonest but even foolish?

That was one hell of a run on sentance. I couldn't parse it. I'm not sure if you were saying that you can not change the root password in Ubuntu, or you were saying that Lord said that ( which he did not ).


He said "but OpenVMS" (which is in no shape or form related to OpenBSD)


The only reason he mentioned OpenVMS was because it supported ACLs well before windows, which contradicted your statement that windows invented ACLs.

*shakes head* I'll continue to recommend OpenBSD because of ALL systems i know of, it's the one that is most secure.While it is very secure for many applications, you've failed to demonstrate a single reason why it would be more secure over any other choice. Things like 'privilege seperation' or 'optional system call auditing' or 'stack execution countermeasures' haven't been uttered from your lips.

This, is windows, is linux, the only way this moron gets to continue his BS about linux is by referring to different distros, seriously, read the thread, he's referring to different distrosWhere you made sweeping generalization about all Linux or all operating systems.

and when i called him out on specifics he refused to touch that flavor of BSD.I've never refused to touch it. You've given no specifics, either, merely some tripe about how ACLs are less secure than normal file permissions that was barely above nonsensical blathering and sadly even fell to that level on multiple occasions.

he circumvents every issue by referring to something out of the discussion.Show me once where I moved the subject off-topic, because you cannot.

I said "OpenBSD is the safest"

He said "but OpenVMS" (which is in no shape or form related to OpenBSD)
But I did nothing of the sort. Here's your original post and my original reply:Originally posted by LordHunter317 in post 145: (http://www.ubuntuforums.org/showpost.php?p=574100&postcount=145)
OpenBSD
Has the same model as Windows and Linux. That being said, their implementation of a lot of things is far superior. It's also worse in a lot of areas, especially on the desktop.(emphasis added) I see no mention of OpenVMS anywhere here.

So no, I did noting of the sort you claimed. This is typical of your posts here, and I hope everyone can plainly see your obvious lies.

I'd say this: You probably have some valid points when you're on topic (I don't know--this discussion's a bit over my head), but sometimes you're letting it get a little too personal.

Yeah, when the man is actually changing the topic into what he likes it to be from what the discussion is about it pisses me off, the man is trolling, it's SO obvious, read his posts, he's not answering anything, he's just avoiding and deflecting.

WTH is this, "wannabe politicians forums" This is Ubuntu forums if i am not incorrect, most about what he's writing about linux isn't even appliciable on Ubuntu because of the security model OOB of Ubuntu is quite different from RH where logging in as root is as simple as pressing a, enter and use passwd to set the root password.

He's taking every flaw out of every distro and presenting them as flaws in Linux and he's correct while also being dishonest.

When CALLED OUT regarding a specific flavor of BSD he dosn't only mention multiple linux distros but also another flavor of BSD because it is different, it's dishonest and has nothing to do with the topic of the discussion.

YOu may ban me, but the point i'm trying to make is that this guy is dishonest to the core, he's been proving that over and over again and he keeps going even when he's involved with a distro he doesn't know **** about, namely OpenBSD.

FYI, maybe you think that is harsh, but how do you treat somone who is nothing but a sad troll WHEN THE MODS IGNORE IT?

This forum isn't moderated, trolling is general pastime for many a members, question them and YOU are the problem.

I even complimented this guy for starters, until i realized that he's a bot, he'll keep respoinding to posts about Ubuntu with saying that RH is different, to posts about OpenBSD by OpenVMS being different...

I'm sorry but preserving the trolls while removing the ones who call them on their trolling will not a good forum make.

While it is very secure for many applications, you've failed to demonstrate a single reason why it would be more secure over any other choice. Things like 'privilege seperation' or 'optional system call auditing' or 'stack execution countermeasures' haven't been uttered from your lips.

Where you made sweeping generalization about all Linux or all operating systems.

I've never refused to touch it. You've given no specifics, either, merely some tripe about how ACLs are less secure than normal file permissions that was barely above nonsensical blathering and sadly even fell to that level on multiple occasions.

Show me once where I moved the subject off-topic, because you cannot.

But I did nothing of the sort. Here's your original post and my original reply:(emphasis added) I see no mention of OpenVMS anywhere here.

So no, I did noting of the sort you claimed. This is typical of your posts here, and I hope everyone can plainly see your obvious lies.

It's the same way you have dismissed so many others, in the following posts it is quite obvious that you do in fact continue to relate to everyting other than what the discussion was about, which was OpenBSD, i even asked you SEVERAL TIMES to keep it on topic for our discussion about it yet you refered to four different OS's, none of them were OpenBSD.

I don't care what you think about me, i really don't, and since users tend to read the common out of context reply you'll probably win this debate with other users as you have done with the user above you who has OBVIOUSLY not taken the effort to read the thread in its entiry.

Anyway, i apologize for the emotional bit, i do get that way and i do know it, quite frankly i'm used to places where flames fans a lot higher without anyone reacting, if you have ever visited the core coders mailing lists you know what i'm referring to. But it really doesn't matter much to neither you nor me though, we'll still be doing what we do every day.

Best of luck and i hope you make the headlines and just if you are interested i have a deeper security model which might intrest you, you know where to look.

Take care

//TDR

OK

To everyone posting in this thread. Please keep to the subject , respect each other and stop the personal attacks.

Thankyou

If you were refering to me as "the user above you", I did take the time ( about 3 hours worth ) to read every single post in this thread, thank you very much.


I don't care what you think about me, i really don't, and since users tend to read the common out of context reply you'll probably win this debate with other users as you have done with the user above you who has OBVIOUSLY not taken the effort to read the thread in its entiry.

Yeah, when the man is actually changing the topic into what he likes it to be from what the discussion is about it pisses me off,Provide proof.

he's not answering anything, he's just avoiding and deflecting.:rolleyes:. You're being directly asked to provide proof. Not doing so is a deflection on your part.

You're the one who tried to dismiss me as irrelvant because I was talking about other distros than Ubuntu, and then lied about you doing the same. I think you're the one comitting deflections.

most about what he's writing about linux isn't even appliciable on Ubuntu because of the security model OOB of Ubuntu is quite different from RHWhich I've noted as appropriate if you'd practice reading comprehension.

He's taking every flaw out of every distro and presenting them as flaws in LinuxI've done nothing of the sort.

When CALLED OUT regarding a specific flavor of BSDYou never called out crap.

he dosn't only mention multiple linux distros but also another flavor of BSD because it is different,No.. This is what you said:And yet they are not implemented in OpenSolaris, *BSD or Linux or any sane modern OS except for XP.. Gee, i wonder why.Funny, You talked about Solaris, [i]all Linux, and all BSD FIRST, not I.

My simple reply was:Wrong, wrong and wrong on all counts. Linux supports them, Solaris supports them, FreeBSD supports them.

it's dishonest and has nothing to do with the topic of the discussion.It had everything to do with the topic because YOU introduced it. You can't stuff the cat in the bag once it's out, I'm afraid.

but the point i'm trying to make is that this guy is dishonest to the core,Unlike you, who's openly lied about what he's said previously multiple times? I wouldn't be repeating your posts to you if you kept a consistent face and dropped the false accusations.

he's involved with a distro he doesn't know **** about, namely OpenBSD.You've shown nothing of the sort.

FYI, maybe you think that is harsh, but how do you treat somone who is nothing but a sad troll WHEN THE MODS IGNORE IT?I do my best to ignore it. I think it's safe to infer at this point that you however, keep carrying on in your antics.

This forum isn't moderated, trolling is general pastime for many a members, question them and YOU are the problem.:rolleyes: WTF? Non-sequitur because I have no clue what you're even attempting to say.

I even complimented this guy for starters, until i realized that he's a bot, he'll keep respoinding to posts about Ubuntu with saying that RH is different, to posts about OpenBSD by OpenVMS being different...Once again, show me where I did anything of the sort.



It's the same way you have dismissed so many others, in the following posts it is quite obvious that you do in fact continue to relate to everyting other than what the discussion was about, which was OpenBSD,(emphasis mine) Then why did YOU: Make the claim Windows originally created ACLs? Hell, entered the seperate ACL discussion at all? Make the claim no other operating system, specfically listing Linux, *BSD, and OpenSolaris as having ACL support Make the claim no Linux distro supports ACLs OOB?For someone who's only talking about OpenBSD, you seem to have introduced a host of tagential subjects, which I replied to in turn.

You ask for proof, read the damn thread...

You are a very boring troll actually because you'll even deny things that you have said in the same thread while never admit other things you said in the same thread.

AND worst of all is the misrepresentation.

You'll excuse me if i never take you serious from now on, i'm sure

Ok I have seen enough here I am closing this thread

Hello there!
Windows has many viruses and spyware, Linux has less. But why's that?;)

Well I was once told (I don't really subscribe to this) it's because most people who write the viruses prefer to use linux, so why would they design something which would cause themselves a problem! Not sure about that!

The most virus-writers are actually crackers, lousy crackers that is. These people often choose Windows because once exploiting the OS or other file, procedure and or technology they have root control / administrator control.
Windows users with virusscanner and firewall often don't even notice such virusses.

To take on Linux would be indeed throwing in you own glasses just as adam.tropics said. I don't know if the same still will happen but it would be a pitty. Also some or many of those crackers would like to install Linux on their box sometimes. And if I can't live with something myself... that'll just have to be using Linux with a virusscanner.

Simply because of the way Linux is built vs. the way Windows is built:

http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/

Even if Linux was the only OS around, we still would not see viruses, trojans and worms having the same effect on Linux machines that they do on Windows machines. It's kind of a waste of time to write these things for Linux because these things would fizzle out quickly.

I heard a theory that windows programmers get frustrated with the system, as it is to closed to let them play around with. If you are trying to use some system call or api that has incorrect documentation, and you can just download the source code for it then you end up wanting to break stuff.

a programmer on linux has unlimited access all the way through to the kernel. any frustration they get when something does not work can be channelled toward finding the bug and fixing it.

i doubt this is the full reason (or even half of it) but it may account for some people.

the windows being a bigger target does not stand up to there being a similar number of webservers running windows and linux. i'd imagine web servers are pretty good targets to attack if you want to gather things like crdit card numbers.

Regarding viruses and security threats all three apply, and I believe the last option is underrated; when Linux hackers find security flaws they focus on fixing them rather than exploiting them to cause damage, because they believe in making the platform more secure, and they can do this directly by submitting patches; they don't have to resort to indirect methods such as exploits and threats to cause damage, because there isn't a single big corporation on top that they have to threaten and put pressure on and that everyone begs for fixes from.

There are numerous reasons for this, but an often overlooked one is the dangers of any monoculture.

Part of the strength of Linux comes from it's diversity, this means that exploits may only hit one or a few distributions at once or have to be written and tested to suite all common ones.

Diversity makes for a good defense, both in Nature and technology.

even in xp, aren't all users essentially signed in as root with only the delusional seperation of a different desktop?

Apache slammer showed us that Linux admins are just as lazy as their Windows counterparts, it's not harder to make a trojan for Linux than it is for Windows, in fact, it's EASIER to make worms, trojans or find exploits since the code is open, it's also easier to fix for the very same reason. What (most of) *nix has that Windows doesn't is a sane user policy by default so the damage is commonly limited (however, as soon as a user executes anything with extended privileges it opens the entire system for the attack).

People install Linux and think that they have a secure system, many times they have a wide open system, a default Ubuntu install is wide open yet i don't see all that many "you MUST enable the firewall" posts as i see on windows forums regarding slipstreaming sp2 or at least having it downloaded and installed before you connect to the net. (this is, of course, because SP2 enables a firewall)

even in xp, aren't all users essentially signed in as root with only the delusional seperation of a different desktop?

They are all admins by default, correct. They don't have to be though.

Apache slammer showed us that Linux admins are just as lazy as their Windows counterparts, it's not harder to make a trojan for Linux than it is for Windows, in fact, it's EASIER to make worms, trojans or find exploits since the code is open, it's also easier to fix for the very same reason. What (most of) *nix has that Windows doesn't is a sane user policy by default so the damage is commonly limited (however, as soon as a user executes anything with extended privileges it opens the entire system for the attack).

As Apache is not Linux and doesn't only run on Linux, you don't have a point, sorry.
If you wanted to say that Linux and particularly programs running on top of Linux are not 100% secure you are of course right, but then again, nobody said they were.


People install Linux and think that they have a secure system, many times they have a wide open system, a default Ubuntu install is wide open yet i don't see all that many "you MUST enable the firewall" posts as i see on windows forums regarding slipstreaming sp2 or at least having it downloaded and installed before you connect to the net. (this is, of course, because SP2 enables a firewall)
Sigh. No, it is not wide open, as no, I repeat, no daemon that listens on the network is installed.

Let me see... Linux and OSX is based on UNIX used by business and the military for years, networking and efficency from the begining, problems fixed quickly and a fast turn around on patching and code.. how many UNIX viruses and attacks do you hear about? Most Linux people have come from a system admin/support/IT role and know rather a lot about UNIX. Meaning they are less disirable targets.
Original Windows.. is based on DOS.. which all had loads of problems. Mainly as it was not designed for networking but as a standalone unit, networking was shoved in later. So it was easy to attack, as was 3.11, 95, 98 and the sambles thats was ME. Then they bought out 2000 and XP, heavly bloated and full of holes, the tend just continued. Also a large base of users who know nothing about the machines they use.

Also a large number of hackers are just people fiddling about, the more complex it gets the less attackes you will get. Its like tagging they are just trying to show off. Well apart from the people that really enjoy the challenge, then they are the profesonals, who make money out of what they do and you would probably never know they where there.

Let me see... Linux and OSX is based on UNIX used by business and the military for years, networking and efficency from the begining, problems fixed quickly and a fast turn around on patching and code.. how many UNIX viruses and attacks do you hear about? Most Linux people have come from a system admin/support/IT role and know rather a lot about UNIX. Meaning they are less disirable targets.
Original Windows.. is based on DOS.. which all had loads of problems. Mainly as it was not designed for networking but as a standalone unit, networking was shoved in later. So it was easy to attack, as was 3.11, 95, 98 and the sambles thats was ME. Then they bought out 2000 and XP, heavly bloated and full of holes, the tend just continued. Also a large base of users who know nothing about the machines they use.

Also a large number of hackers are just people fiddling about, the more complex it gets the less attackes you will get. Its like tagging they are just trying to show off. Well apart from the people that really enjoy the challenge, then they are the profesonals, who make money out of what they do and you would probably never know they where there.

Another problems is that most UNIX and Linux user should not be the supper user thus if a virus does attack then it only has access to your 'allowed' part of the system. Not the case with Windows, you are the super user all the time and the virus once kicked off has free control over your PC.
This mean most of these viruses fizzel out, while the PC versions spread like wild fire.

As Apache is not Linux and doesn't only run on Linux, you don't have a point, sorry.
If you wanted to say that Linux and particularly programs running on top of Linux are not 100% secure you are of course right, but then again, nobody said they were.

The point was that it hit 30k+ linux boxes running apache, it shows exactly what i said it shows, that Linux admins are as sloppy as their windows counterparts. My point is valid, you just didn't understand it.


Sigh. No, it is not wide open, as no, I repeat, no daemon that listens on the network is installed.

Yes it is wide open, if you have nothing protecting your box's in and outgoing communication then it IS, i repeat, is wide open, just imagine what a trojan could do in that environment.

If you do the default install and never touch it, never download anything and never install anything else on it, then sure, it's somewhat secure.

However, since all installed daemons (which you install or which are installed as dependencies) are listening to all installed interfaces (and installed daemons default to being run at every bootup in the default runlevel) it won't take long before you have a lot of ports listening to the net for connections, i'm sure you know how to check this for yourself but most users don't have a clue.

It's easy to set up a firewall, it's the first step towards a secure system and it's a damn shame that it's not enabled by default.

The point was that it hit 30k+ linux boxes running apache, it shows exactly what i said it shows, that Linux admins are as sloppy as their windows counterparts. My point is valid, you just didn't understand it.

I see.
Question: Why does Linux have less viruses and spyware?
Answer by BSDFreak: As the Apache slammer worm shows, Linux admins are just as sloppy as Windows admins.
Great.
And I'll have to repeat myself here, but Apache is not, I repeat, not Linux only.


Yes it is wide open, if you have nothing protecting your box's in and outgoing communication then it IS, i repeat, is wide open,

But I don't have anything that needs protection by default, that's the point. No daemons, nothing. So no, it's not wide open, I'm sorry.


just imagine what a trojan could do in that environment.

Yes, please tell me what it could do. Thanks.


If you do the default install and never touch it, never download anything and never install anything else on it, then sure, it's somewhat secure.

However, since all installed daemons (which you install or which are installed as dependencies) are listening to all installed interfaces (and installed daemons default to being run at every bootup in the default runlevel) it won't take long before you have a lot of ports listening to the net for connections, i'm sure you know how to check this for yourself but most users don't have a clue.

Um, that's not true. Take nfs, or rather IPC for example. By default it does not listen on all interfaces, you'll have to tell it first what interfaces you want it to listen to.
And what desktop apps exactly do install daemons that are configured to listen on the net by default?


It's easy to set up a firewall, it's the first step towards a secure system and it's a damn shame that it's not enabled by default.
Sigh. A firewall can be useful if you know what you are doing, but you don't get better security by simply plastering a firewall on your system, you'll only get a false sense of security.

'Tis designed better.

I see.
Question: Why does Linux have less viruses and spyware?
Answer by BSDFreak: As the Apache slammer worm shows, Linux admins are just as sloppy as Windows admins.
Great.
And I'll have to repeat myself here, but Apache is not, I repeat, not Linux only.

You can repeat yourself until you're blue in the face, the point is still the same, it doesn't matter what OS you run if your admin is lazy, a system, ANY system is as secure as it's set up to be.

Then there are several other worms targeted for Linux exclusively such as Linux Slapper and Linux Lupper. Lupper has been known to install Perl/Shellbot and Linux/BackDoor-Rev.b


But I don't have anything that needs protection by default, that's the point. No daemons, nothing. So no, it's not wide open, I'm sorry.

That would be true if there are absolutely no exploits or worms for Linux.


Yes, please tell me what it could do. Thanks.

Well, it could connect to a Internet Relay Chat (IRC) server and join a predetermined and password-protected channel as configured by the malicious user. When successful, it may then receive commands from a remote user.

That's what the Perl/Shellbot trojan for Linux does.

Or connect to an arbitrary Internet address and port chosen by the malicious user. and then the backdoor daemon forks a subshell that is redirected to the newly established network connection. Malicious users of this backdoor may then remotely execute arbitrary system commands on the compromised machine over this channel.

Which is what Linux/BackDoor-Rev.b does.
Sigh. A firewall can be useful if you know what you are doing, but you don't get better security by simply plastering a firewall on your system, you'll only get a false sense of security.

With tools such as firestarter all you have to do is install it and run the wizard.

Apache slammer showed us that Linux admins are just as lazy as their Windows counterparts,


Slammer also showed that virusses for Linux do not work on all distributions. Therefor the damage it can do is limited. Now, throw in some *BSD and eventually other systems and you have a nice mix in which a single virus cannot bring your entire infrastructure down.

Some good practices could also prevent a slammer attack, one of them is to set /tmp noexec and nosuid. nosuid at the least should also be applied to /home.


it's not harder to make a trojan for Linux than it is for Windows, in fact, it's EASIER to make worms, trojans or find exploits since the code is open


I don't believe this. If this were true, why isn't Apache the prime target of webserver attacks? IIS is after all a smaller player and closed source.


People install Linux and think that they have a secure system, many times they have a wide open system, a default Ubuntu install is wide open yet i don't see all that many "you MUST enable the firewall" posts ...


Exactly how is a default install of Ubuntu vulnerable without firewall? It does not have open ports AFAIK, something that is different on WinXP.

To be fair though, I always have a border firewall on networks. But I'd much rather plug my Ubuntu naked to the world then a Win machine.

You can repeat yourself until you're blue in the face, the point is still the same, it doesn't matter what OS you run if your admin is lazy, a system, ANY system is as secure as it's set up to be.

And I quote myself:
If you wanted to say that Linux and particularly programs running on top of Linux are not 100% secure you are of course right, but then again, nobody said they were.


That would be true if there are absolutely no exploits or worms for Linux.

Sigh. No, a worm can not attack me if no daemon is running. Other exploits can of course, but then again, having a firewall wouldn't prevent them anyway, so...


Well, it could connect to a Internet Relay Chat (IRC) server and join a predetermined and password-protected channel as configured by the malicious user. When successful, it may then receive commands from a remote user.

And it can't do that with normal firestarter generated iptables rules if people simply follow the wizzard as you suggest? Of course it can, so you again don't have a point. Are you arguing just for the sake of arguing?


With tools such as firestarter all you have to do is install it and run the wizard.
See above...

Yes it is wide open, if you have nothing protecting your box's in and outgoing communication then it IS, i repeat, is wide open, just imagine what a trojan could do in that environment.

If you do the default install and never touch it, never download anything and never install anything else on it, then sure, it's somewhat secure.

However, since all installed daemons (which you install or which are installed as dependencies) are listening to all installed interfaces (and installed daemons default to being run at every bootup in the default runlevel) it won't take long before you have a lot of ports listening to the net for connections, i'm sure you know how to check this for yourself but most users don't have a clue.


That is just it, the default install has no open ports, therefor there is nothing to block using your firewall.

If you are installing SSH or samba, the you should be able to also install firestarter (or something similar).


It's easy to set up a firewall, it's the first step towards a secure system and it's a damn shame that it's not enabled by default.

No, it is not. Not having any services listening to the outside is a secure setup.
Setting up a firewall may be easy to you and me, but most end users do not even know what it is, let alone how to use it.

You can repeat yourself until you're blue in the face, the point is still the same, it doesn't matter what OS you run if your admin is lazy, a system, ANY system is as secure as it's set up to be.

Off course, but this is where Linux does things better then Windows. A default setup of most distros is much more secure then a default winXP setup.


Then there are several other worms targeted for Linux exclusively such as Linux Slapper and Linux Lupper. Lupper has been known to install Perl/Shellbot and Linux/BackDoor-Rev.b

And how big was their impact? How many servers did they take down. Apache dominates the Webserver market, yet the malware failed to cause massive damage.


Well, it could connect to a Internet Relay Chat (IRC) server and join a predetermined and password-protected channel as configured by the malicious user. When successful, it may then receive commands from a remote user.

That's what the Perl/Shellbot trojan for Linux does.


Yes, if you have been infected through a different channel. Not having a firewall on the default install does not pose a thread in having your machine compromised.

Your example indicates what could happen after you have been infected with a trojan via another path. Yes, it could then open an IRC channel, which it also could through the installed firewall if it defaults to allowing outgoing connections (if not, many users will not be able to connect to the net).

Then again, if a virus already infected your Linux box and wants outside access, why would it not simply turn the firewall off?

I think it's multiple reasons..some in the Linux's favor, others not.

#1. The focus on root/non-root use of a machine definately helps things out.
#2. Generally your linux crowd, yes even a good portion of the "i'm only an end user" crowd tend to have better knowledge of what's going on with a computer.
#3. No software in embedded in the OS like IE is for windows, and as WMP becomes more and more. Viruses attack software, not operating systems.
#4. Linux only has about 2-3% of the market share, and Mac only has about 9-11%. Until these two gain some ground in popularity, the rules of the market will dictate that there's no real reaon to write viruses or spyware that will affect these systems, definately not at the level that's currently written for windows.


The thing that really gets to me is Mac users. Now i'm going to make a sweeping generalization here and i am aware of it's fallible nature, but i'd say most of Mac users are just as non-knowledgable about computers as their Windows using peers. Yet they're A) on a system better designed to handle security threats, B) on a system not popular enough to really warrant a butt load of virsues or spyware (if any at all) to be written for them

They, like the linux crowd, think they don't need an anti-virus nor an anti-spyware application and don't really worry about it. A good deal of their base is coddled in everyway shape and form by applle itself, and they're taught "this will take care of your virus problems that you have on windows". So they get arrogant.

They still don't practice good security practices..and if OS X were to ever rise up in popularity, i think the system has some advantages over Windows systems b/c of it's *nix base, but the lack of security practices of it's users..(even less that windows users) would do them in.

Slammer also showed that virusses for Linux do not work on all distributions. Therefor the damage it can do is limited.


don't worry autopackage should fix this :-)

something writen cleverly in bash could effect a wide number of distros in their default configurations.

ubuntu's no open ports polacy makes the default set up fairly safe. there should be no possible packet that you can send at it that it will respond to. the exception would be if there was a bug in the network stack somewhere.

i guess the most vunerable thing is firefox/gaim. yes i know these are not "linux", but then a computer with just the kernel on it is unlikely to be hacked (or even booted). similar with windows. most of the vunerabilities are in things like MSIE or outlook.

firefox deal with lots of data from possibly bad places. its big and compleicated, it contains interpreted programming languages etc. if something managed to install its self as a firefox plugin then it could be quite dangerous. it could do a lot of spying on what you do online and report these back to a webserver. it could send thousands of emails (if there is still mail code in there). scan your harddrive for intersting files.

a fire wall wont protect against this senario. nor will the unix permission system.

#4. Linux only has about 2-3% of the market share, and Mac only has about 9-11%. Until these two gain some ground in popularity, the rules of the market will dictate that there's no real reaon to write viruses or spyware that will affect these systems, definately not at the level that's currently written for windows.

Mac has a 4.5% market share. Linux is NOT an underdog in the OS market, only 49% of the servers are run by Windows the rest is run by various other OS's of which I'd say Linux prolly runs about 30% making it a VERY feasible target for virus creator's (as Apache Slammer showed)
A little side note: Apache Slammer used SSH vulnerabilities that only existed in Linux effectively making it a Linux worm.
As someone said before malware doesn't target an OS, OS is largely irrelevant, they target w/e runs on top of it. With the proliferation of cross-platform software we WILL see more viruses that will run on any OS that software was ported to. Having a firewall enabled in any OS is a good idea, furthermore default firestarter setup sux monkey balls as it allows ALL outgoing connections. Better security practice is to force users to open up the ports as they need them for functionality (3rd party Windows firewalls tend to do that).

Having a firewall enabled in any OS is a good idea, furthermore default firestarter setup sux monkey balls as it allows ALL outgoing connections. Better security practice is to force users to open up the ports as they need them for functionality (3rd party Windows firewalls tend to do that).

I heard there was some technical problem with implementing this, as apparently the stock Linux kernel firewall system doesn't have access to the process ID of the app making the outbound request. Does anyone know any more about this (i.e. whether I'm right or just talking a bunch of pants :))? I notice that tuxguardian requires some additional kernel modules to be installed.

On the server side, Linux has a much much bigger percentage of market share. Especially when you factor the cost in for server editions of Windows, even a Window's centric sys admin will tell you *nix is the only option purely from a cost perspective. It's also been a server much longer.

But overall, Linux's % drops when you factor in most of the end users. And it's the overal market i think, that would make a system more appealing for viruses.

. Having a firewall enabled in any OS is a good idea, furthermore default firestarter setup sux monkey balls as it allows ALL outgoing connections. Better security practice is to force users to open up the ports as they need them for functionality (3rd party Windows firewalls tend to do that).
I disagree.

First off, users don't have to open ports if they use third party firewalls on windows, but have to allow an application to get on the net. The problem with that is of course that malware can and does easily circumvent it by using some other program to get on the net.

Also, iptables is not a firewall, but a packet filter and a good one at that. It's very powerful but can also be used to simply block ports and nothing more.

Further, having a per application firewall isn't really a solution, not getting malware in the first place is and having a repository system for installing software in place is a very good start for this.

You can repeat yourself until you're blue in the face, the point is still the same, it doesn't matter what OS you run if your admin is lazy, a system, ANY system is as secure as it's set up to be.

BSDFreak is right, guys: a system's security depends on the paranoia and conscientiousness of its admin. If the admin is sloppy, the system will get pwned. The only difference between Linux and Windows is that Windows encourages sloppiness.

furthermore default firestarter setup sux monkey balls as it allows ALL outgoing connections.
There's no such thing as the default Firestarter setup since what it reflects is whatever the iptables configuration is at any given time.
Better security practice is to force users to open up the ports as they need them for functionality (3rd party Windows firewalls tend to do that).That's a per-distro default configuration decision, not a Firestarter decision; in Ubuntu you have no open ports by default and you have to explicitly install software that listens on particular ports in order to have them, so yes, you open ports as you need them for functionality, with or without Firestarter. This is why direct comparisons between Firestarter and Windows firewalls don't make sense.

#4. Linux only has about 2-3% of the market share, and Mac only has about 9-11%. Until these two gain some ground in popularity, the rules of the market will dictate that there's no real reaon to write viruses or spyware that will affect these systems, definately not at the level that's currently written for windows.

I have a hard time buying these numbers. Mac accounts for 3-4% of PC sales and preloaded Linux accounts for 2-3% depending on who is calculating sales data. The true number of Linux boxes can not be acurately counted because most distributions are free and very few people buy their boxes with Linux preloaded. My personal opinion is that 5-6% of PC's run Linux or dual boot. I do know one thing and that is there are a hell of a lot more Linux users than Mac users worldwide.

Also the myth that virus writers avoid Mac and Linux because there are not enough of them out there is utter bs. Crackers pride themselves in breaking in and compromising what most would consider hard to or impossible to crack systems. Unix/Linux/Mac were designed with better security by default making it harder to do massive damage without running as root/su. The lack of viruses is by no means for lack of trying on the part of people who get a kick out of taking control of other peoples boxes and breaking them. Also if I have read my statistics correctly Windows server only has somewhere around 28% of the server market and the rest are Unix/Linux based. That would make Linux more of a target because if you compromise a server you have a better chance of more widespread damage.

Also, iptables is not a firewall, but a packet filter and a good one at that. It's very powerful but can also be used to simply block ports and nothing more.

Further, having a per application firewall isn't really a solution, not getting malware in the first place is and having a repository system for installing software in place is a very good start for this.
I didn't say it has to open per-application believe it or not there are Windows firewalls that do ports rather than/in addition to applications. Yes not getting malware is one thing BUT in case you get a trojan (which do exist for Linux) having a whitelisting setup is better than blacklisting. Most trojans (that I am aware of) open their own ports rather than use the "normal" ones.
There's no such thing as the default Firestarter setup since what it reflects is whatever the iptables configuration is at any given time.
I was refering to what config Firestarter defaults to after running the wizard on the Ubuntu box, I apologize for not clarifying that.
That's a per-distro default configuration decision, not a Firestarter decision; in Ubuntu you have no open ports by default and you have to explicitly install software that listens on particular ports in order to have them, so yes, you open ports as you need them for functionality, with or without Firestarter. This is why direct comparisons between Firestarter and Windows firewalls don't make sense.
While the DEFAULT Ubuntu doesn't have any ports open, any *ware that needs to use a port just opens one up, it is completely unchecked. If you have a firewall that defaults to not allowing ANY outgoing conenctions it will stop any *ware that tries to connect to the internet on it's own accord. A user would have to manually open the port needed for that software, which in turn means that if it's trojan like software that was installed w/o user's knowledge it will not be able to open up it's own ports. Of course it can use HTTP protocol or something to that effect but that would be a job for a much more elaborate firewall than Firestarter. Direct comparison between Windows and Linux firewalls is IMO fair since both are there to do the same job.
I heard there was some technical problem with implementing this, as apparently the stock Linux kernel firewall system doesn't have access to the process ID of the app making the outbound request. Does anyone know any more about this (i.e. whether I'm right or just talking a bunch of pants )? I notice that tuxguardian requires some additional kernel modules to be installed.

I think it's more along the lines of useless, there are too many programs using things like python making it pretty impossible to tell one program from another. Gdesklets for example shows up as python in the System Monitor so does the default BT client.

While the DEFAULT Ubuntu doesn't have any ports open, any *ware that needs to use a port just opens one up, it is completely unchecked.Same goes for any non-malicious application that needs network access. If you have a firewall that defaults to not allowing ANY outgoing conenctions it will stop any *ware that tries to connect to the internet on it's own accord.For the above reason, it will block every app. It seems you're after a Windows Firewall kind of solution where every app except the default ones installed with Ubuntu will be blocked by default and the user will have to unblock them one by one. This again goes beyond Firestarter's scope and is a per-distro configuration decision, one that I believe Ubuntu shouldn't and wouldn't take. Direct comparison between Windows and Linux firewalls is IMO fair since both are there to do the same job.Firestarter is a frontend to iptables, which isn't a firewall per se but only instructs the Linux kernel to set its IP filtering rules, whereas Windows firewalls are defensive apps written from the ground up to work on top of the Windows networking stack. I reckon what you want implemented is a much more elaborate firewall than Firestarter.

I didn't say it has to open per-application believe it or not there are Windows firewalls that do ports rather than/in addition to applications. Yes not getting malware is one thing BUT in case you get a trojan (which do exist for Linux) having a whitelisting setup is better than blacklisting. Most trojans (that I am aware of) open their own ports rather than use the "normal" ones.

This would be a horrible setup for most purposes. Just imagine the thousands of post you'd get here because apps people install simply don't work. And now you even suggest they should not be able to allow access on a per application basis, but have to open a port?

And most malware worth its salt would simply use ports that are already open and if your box already got rooted, they would be able to open any port they need anyway, so no, I still don't see the big advantage of such a setup.

23meg,
No I'm not really after a Windows like firewall although I must admit that some of the personal ones are more powerful than ipchains/tables that come with Linux (lets face it's a fairly basic solution). It is a config decision by the Ubuntu team that I disagree with from a security stand point but agree with from a novice user standpoint.
This would be a horrible setup for most purposes. Just imagine the thousands of post you'd get here because apps people install simply don't work. And now you even suggest they should not be able to allow access on a per application basis, but have to open a port? You can't do it per application in Linux due to certain limitations in the iptables/ipchains so you have to do it per port. Firestarter front end actually has a list of the popular ports to allow, so it's not much harder than ZA on Windows (the again I'm very comfortable with firewalls).
And most malware worth its salt would simply use ports that are already open and if your box already got rooted, they would be able to open any port they need anyway, so no, I still don't see the big advantage of such a setup.
That's simply not true there is plenty of malware that will use its own private ports, besides security is not about making it impossible its about making it hard(er) such a default policy would make it more difficult to break into your system. The only way to fully secure a machine from remote attacks is never connect to the net in the first place. The most secure OS in the world OpenBSD defaults ot blacklisting EVERYTHING btw you need to explicitly allow things ensuring that w/e is being run you meant it to run.

No I'm not really after a Windows like firewall although I must admit that some of the personal ones are more powerful than ipchains/tables that come with Linux (lets face it's a fairly basic solution).

I'm sorry, but iptables is far from basic, on the contrary, it's far more powerful than a toy like ZA, it just is something different from a personal firewall like you know it from windows.


You can't do it per application in Linux due to certain limitations in the iptables/ipchains so you have to do it per port. Firestarter front end actually has a list of the popular ports to allow, so it's not much harder than ZA on Windows (the again I'm very comfortable with firewalls).

As Mandriva proves, you can. And it is much harder tha ZA. No little pop ups telling you that applications xyz wants to connect to the net.


That's simply not true there is plenty of malware that will use its own private ports

Please name one for Linux that a) uses it's own port only and b) doesn't need root privileges to work properly.


, besides security is not about making it impossible its about making it hard(er) such a default policy would make it more difficult to break into your system. The only way to fully secure a machine from remote attacks is never connect to the net in the first place. The most secure OS in the world OpenBSD defaults ot blacklisting EVERYTHING btw you need to explicitly allow things ensuring that w/e is being run you meant it to run.
But then again, OpenBSD, as great as it is, certainly isn't intended for desktop use. And if you running a server you should know what you do and certainly don't have to rely on you distribution setting up a firewall for you.

If you have a firewall that defaults to not allowing ANY outgoing conenctions it will stop any *ware that tries to connect to the internet on it's own accord. A user would have to manually open the port needed for that software,

Which is beyond most end users for who this would mean that they will either drop Ubuntu thinking that networking doesn't work or the more persistent ones will get to turn of the firewall.

Really, most computer users don't know what a port is or what a firewall is. If we want a secure setup for them, we'll have to find another way of doing it.

And most malware worth its salt would simply use ports that are already open and if your box already got rooted, they would be able to open any port they need anyway, so no, I still don't see the big advantage of such a setup.

That is also a good point.

If you got infected through a legit program like mail or http, and the malware gets root, it can simply turn of the firewall (like some windows virusses do to AV software).

so it's not much harder than ZA on Windows (the again I'm very comfortable with firewalls).


The thing is that most end users cannot use zonealarm effectively. Reports I've heard is they cannot get on the net, or they just allow anything it ask trhough (effectively making the firewall useless).

I much rather see SELinux (or Novell's alternative) or PAX implemented then such a solution because they can be made to run without user interaction and do offer a good level of protection against attacks.

The thing is that most end users cannot use zonealarm effectively. Reports I've heard is they cannot get on the net, or they just allow anything it ask trhough (effectively making the firewall useless).

I much rather see SELinux (or Novell's alternative) or PAX implemented then such a solution because they can be made to run without user interaction and do offer a good level of protection against attacks.
I actually think that Ubuntu comes with SELinux extension, I was looking through kernel stuff to get rid of the i386 leftovers after a K7 kernel upgrade. Just checked and it does come with libselinux.
Which is beyond most end users for who this would mean that they will either drop Ubuntu thinking that networking doesn't work or the more persistent ones will get to turn of the firewall.

Really, most computer users don't know what a port is or what a firewall is. If we want a secure setup for them, we'll have to find another way of doing it.
That's why I said above that I agree with that decision from a novice user POV.
I'm sorry, but iptables is far from basic, on the contrary, it's far more powerful than a toy like ZA, it just is something different from a personal firewall like you know it from windows.
Quite possible, I haven't gotten into the guts of it but so far it seems like all it does is stealths ports that are not being used ATM, which is pretty basic if you ask me. Now I don't remember how ZA is in this, but Sygate Personal Firewall Pro (for Windows) includes an SPI module and application signing to make sure that the app is what it says it is.
Please name one for Linux that a) uses it's own port only and b) doesn't need root privileges to work properly.
Don't know of one, but just because I don't know it doesn't mean one doesn't exist or one will not be created. You should know that what's true today might not be true tomorrow.
But then again, OpenBSD, as great as it is, certainly isn't intended for desktop use. And if you running a server you should know what you do and certainly don't have to rely on you distribution setting up a firewall for you.
No doubt, HOWEVER this debate is about security and Linux being less prone to infection. The point made by BSDFreak and myself earlier was that it's all about the settings of your OS rather than the original design and defaults (those can get old quick) in this discussion it was also suggested that not having a firewall enabled by default was poor security practice. To that I added that a firewall that whitelists outgoing traffic by default (talking about Ubuntu in this case obviously) is not much protection since at the very least it will let malware send information about yourself to whoever wrote it. Obviously a tightly locked down system will NOT be user friendly, however we are talking about security practices here.

I think it all comes down to education, most windows users have not much idea what their firewall does or what those alerts are for. I spend loads of time setting them up correctly pre-configured for users so they don't make most of the commom mistakes, but I always have to go back later and re-set it again. Even when I spend time explaining it to them, some people just look blank, some just don't want to know.
Where as the common user on Linux is some sort of IT proffessional, and thus know how to protect themselfs and their data.

Quite possible, I haven't gotten into the guts of it but so far it seems like all it does is stealths ports that are not being used ATM, which is pretty basic if you ask me. Now I don't remember how ZA is in this, but Sygate Personal Firewall Pro (for Windows) includes an SPI module and application signing to make sure that the app is what it says it is.

Then I'm sorry to say, you don't know what you are talking about.
http://en.wikipedia.org/wiki/Iptables
http://www.netfilter.org/documentation/index.html#documentation-howto


No doubt, HOWEVER this debate is about security and Linux being less prone to infection. The point made by BSDFreak and myself earlier was that it's all about the settings of your OS rather than the original design and defaults (those can get old quick)

Well, I'm not sure what your point actually was at the begining, as some people seem to change their points as time goes by, but saying that design and defaults don't matter is simply wrong.


in this discussion it was also suggested that not having a firewall enabled by default was poor security practice.

But still, it isn't if no daemon is running.


To that I added that a firewall that whitelists outgoing traffic by default (talking about Ubuntu in this case obviously) is not much protection since at the very least it will let malware send information about yourself to whoever wrote it. Obviously a tightly locked down system will NOT be user friendly, however we are talking about security practices here.
I thought we were talking about why linux isn't as vulnerable to viruses as other OSes and about BSDFreaks assertion that Ubuntu is wide open in a default install. And if you think that a tightly locked down system can and should depend on a firewall, think again. If you need a firewall to make sure that no malware that does not run as root and was installed by a user and on top of that doesn't use open ports, but insists on opening its own port, doesn't work on your tightly locked down system, you don't have a tightly locked down system anyway.

Then I'm sorry to say, you don't know what you are talking about.
http://en.wikipedia.org/wiki/Iptables
http://www.netfilter.org/documentati...entation-howto
All I can see that I haven't mentioned is NAT and routing which makes it a nice router but not a full featured firewall. (note: Windows can also be set as a NAT router w/o a need for a firewall) Like I said ipchains/netfilter w/e else it wants to be called, is a fairly basic solution that doesn't provide firewall functionality found in more "professional" solutions. I'm not saying that it's crap I'm simply saying that it doesn't have all the features I want from my firewall.
Well, I'm not sure what your point actually was at the begining, as some people seem to change their points as time goes by, but saying that design and defaults don't matter is simply wrong.

My point was that a firewall is a necessary(sp?) evil so to speak. Design and defaults DO matter. However, no system stays in its default state for any meaningful period of time especially not production systems making defaults more or less irrelevant. Well designed OS will make it easier to secure it but you are still going to have to keep it up to date with patches and a good overall security practice.
I thought we were talking about why linux isn't as vulnerable to viruses as other OSes and about BSDFreaks assertion that Ubuntu is wide open in a default install. And if you think that a tightly locked down system can and should depend on a firewall, think again. If you need a firewall to make sure that no malware that does not run as root and was installed by a user and on top of that doesn't use open ports, but insists on opening its own port, doesn't work on your tightly locked down system, you don't have a tightly locked down system anyway.
Never did I say that a tightly locked down system depends solely on a firewall, but you must agree that it would be a part of the setup. BSDFreak's statement about Ubuntu being wide open because of the lack of a default firewall is valid IMO, while no daemons are running (or rather listening) by default people install things on their boxen. W/o a firewall any connections to and from go completely unchecked. It's the same thing as people with no A/V claiming they never had viruses, if you got no A/V you don't know that :) Again firewall is not end all be all of network security but it is one of the things and I believe that Ubuntu should come with firestarter enabled OOTB for those users who don't know what a firewall is and wouldn't think to install one.

I actually think that Ubuntu comes with SELinux extension, I was looking through kernel stuff to get rid of the i386 leftovers after a K7 kernel upgrade. Just checked and it does come with libselinux.


It is compiled in, yes. But SELinux is inactive without policies, which are not in. So it is not operational.

Fedora Core 4 has them compiled and and installs the policies to make it all work.

Never did I say that a tightly locked down system depends solely on a firewall, but you must agree that it would be a part of the setup.


Installing a firewall by default will not help anything. It would only be usefull if it locked down any incoming AND outgoing connection, but that would break Ubuntu for any new user (windows firewall also does not do this).
Having a firewall that only blocks incoming traffic on the default install is just as useless as having none (because you do have on, netfilter, in the kernel, it just has no rules).


BSDFreak's statement about Ubuntu being wide open because of the lack of a default firewall is valid IMO, while no daemons are running (or rather listening) by default people install things on their boxen. W/o a firewall any connections to and from go completely unchecked.


What daemons should an end user install that do listen to the outside? If they do (like apache or SSH), then they should be capable of configuring both those programs and a firewall to protect them (or use a hardware box).

The needs of a typical end user should not require anything that listens to the outside while a locked down firewall would cripple his system from his POV.


It's the same thing as people with no A/V claiming they never had viruses, if you got no A/V you don't know that :) Again firewall is not end all be all of network security but it is one of the things and I believe that Ubuntu should come with firestarter enabled OOTB for those users who don't know what a firewall is and wouldn't think to install one.

AV software has a very limited use and is a quick fix for a lack of security controls in the OS and applications. An AV solution only protects against well known threats but offers so additional security (like 0-day exploits).

Instead of concentrating on AV software, we should take a good look at solutions like SELinux, PAX and switch to a MAC based system instead of the flawed DAC dogma. All these protect against generic threats.

All I can see that I haven't mentioned is NAT and routing which makes it a nice router but not a full featured firewall.

And as I already mentioned, iptables isn't a desktop firewall.


(note: Windows can also be set as a NAT router w/o a need for a firewall) Like I said ipchains/netfilter w/e else it wants to be called, is a fairly basic solution that doesn't provide firewall functionality found in more "professional" solutions. I'm not saying that it's crap I'm simply saying that it doesn't have all the features I want from my firewall.

*Sigh*
Again, it isn't meant to be a stupid desktop firewall and calling it basic just shows you ignorance. It's like calling the Earh Simulator basic, because Unreal Tournament doesn't run on it, but runs on your box.


My point was that a firewall is a necessary(sp?) evil so to speak.

Yet an other point? ;D
Anyway, it isn't and you still haven't shown why it is.


Design and defaults DO matter.

Then don't say they don't.


However, no system stays in its default state for any meaningful period of time especially not production systems making defaults more or less irrelevant.

Sorry, but your conclusion doesn't follow logicaly from your premise.
If anything, the fact that systems change does mean that defaults are not everything, but then again, nobody claimed they were.


Well designed OS will make it easier to secure it but you are still going to have to keep it up to date with patches and a good overall security practice.

Who said otherwise?


Never did I say that a tightly locked down system depends solely on a firewall, but you must agree that it would be a part of the setup.

No, I don't agree. A firewall can be part of such a setup if it makes sense, but that's about it.


BSDFreak's statement about Ubuntu being wide open because of the lack of a default firewall is valid IMO, while no daemons are running (or rather listening) by default people install things on their boxen. W/o a firewall any connections to and from go completely unchecked.

So let me get this straight.
You say that by default it is wide open, though it isn't because no daemons are running, as you admi.
Now this alone doesn't make sense, but now your argument seems to be that it will be wide open once people start to install stuff. Now I already asked BSDFread, but I'll ask you again, please name one such application that'll leave your setup wide open.

Further, you didn't seem to notice, but a few sentences up you argued that defaults are more or less meaningless as systems change over time. Now you argue that it's correct to say that Ubuntu is wide open, because people will install stuff and then the defaults will make the system vulnerable. This does not compute.


It's the same thing as people with no A/V claiming they never had viruses, if you got no A/V you don't know that :)

No, it isn't.


Again firewall is not end all be all of network security but it is one of the things and I believe that Ubuntu should come with firestarter enabled OOTB for those users who don't know what a firewall is and wouldn't think to install one.
And those are exactly the user who wouldn't in any way profit from Ubuntu having a firewall.

Edit: I just reread my response and noticed that it comes of as very harsh. So I just wanted to appologize for this. It was not my intention and I hope English not being my first language will be accepted as an excuse for it.

Like I said ipchains/netfilter w/e else it wants to be called, is a fairly basic solution that doesn't provide firewall functionality found in more "professional" solutions. I'm not saying that it's crap I'm simply saying that it doesn't have all the features I want from my firewall.

Netfilter is a packet filter, it is not advertised as anything other then that. What you are looking for is an application level firewall which is a different animal.

What daemons should an end user install that do listen to the outside? If they do (like apache or SSH), then they should be capable of configuring both those programs and a firewall to protect them (or use a hardware box).

The needs of a typical end user should not require anything that listens to the outside while a locked down firewall would cripple his system from his POV.
So let me get this straight.
You say that by default it is wide open, though it isn't because no daemons are running, as you admi.
Now this alone doesn't make sense, but now your argument seems to be that it will be wide open once people start to install stuff. Now I already asked BSDFread, but I'll ask you again, please name one such application that'll leave your setup wide open.

Plenty of programs use net connections, NTP, gdesklets (some of them), remote desktop, etc... There are plenty of daemons running on a default Ubuntu box, they are not listening but that doesn't make the invulnerable, the ports aren't stealthed like they should be making it a real vulnerability.
No, I don't agree. A firewall can be part of such a setup if it makes sense, but that's about it.

Show me a single security expert that will say that you have no need for a firewall, in fact show me a single business that is connected to the internet w/o a firewall.
Sorry, but your conclusion doesn't follow logicaly from your premise.
If anything, the fact that systems change does mean that defaults are not everything, but then again, nobody claimed they were.

No YOUR conclusion doesn't follow logically, if a system will be changed from its default state then security policy needs to be adjusted to respond to that change. For an average surfing da web, email, IM user the defaults make a huge difference sure but anything beyond that will change those defaults anyway.
So let me get this straight.
You say that by default it is wide open, though it isn't because no daemons are running, as you admi.
Now this alone doesn't make sense, but now your argument seems to be that it will be wide open once people start to install stuff. Now I already asked BSDFread, but I'll ask you again, please name one such application that'll leave your setup wide open.

Further, you didn't seem to notice, but a few sentences up you argued that defaults are more or less meaningless as systems change over time. Now you argue that it's correct to say that Ubuntu is wide open, because people will install stuff and then the defaults will make the system vulnerable. This does not compute.
Computes just fine, the default state of the system is no listening to the outside connections, no firewall rules. Installing software might change the "no listening to the outside" default but will leave the "no firewall rules" default. So the part of the system that says "there is no need for a firewall" has been changed, but a firewall was not enabled to begin with and if it is not enabled after it is needed the system is vulnerable. Do you see how the default setup has a flaw?
And those are exactly the user who wouldn't in any way profit from Ubuntu having a firewall.
Not true at all, if Firestarter is installed by default and configured to allow the regular needed connections (HTTP, SMTP, POP, IMAP, NTP, FTP, etc..) to go through it would ensure that nothing that wouldn't use those ports could get connected to from the outside or go to the outside it would benefit the end user in a fairly transparent manner.
And as I already mentioned, iptables isn't a desktop firewall.

That means nothing more than that there is a need for a real desktop firewall for Linux.
Yet an other point? ;D
Anyway, it isn't and you still haven't shown why it is.

OK, I'll bite it and say that CURRENTLY there is no need for a firewall in Linux based OS's. Now just because there is no need for it NOW it doesn't mean there is no need for it in general. Would you agree that it makes sense to be prepared? When I was going to High School I had to get immunized against a number of different things not because I would get all or ANY of them (which I'm sure I wouldn't being pretty healthy) but because there was a chance I could get them.

AV software has a very limited use and is a quick fix for a lack of security controls in the OS and applications. An AV solution only protects against well known threats but offers so additional security (like 0-day exploits).

Instead of concentrating on AV software, we should take a good look at solutions like SELinux, PAX and switch to a MAC based system instead of the flawed DAC dogma. All these protect against generic threats

You won't get an argument there, I believe that current security measures are outdated not because they were bad but because the times have changed and we need to adjust accordingly. But for now we have to use these crutches.

This is interesting so if a computer is left as default take ubuntu as its got no listening ports out of the box.
Thats secure right
Install something and it sets up a daemon making it insecure correct?
Now excuse me if I'm wrong but isn't that a user error not a OS error.

As for microsoft they steal ideas and add to them to create a so called user experience where as linux is more about security.

It has to be a pretty nasty virus for it to infect a nix machine and lets compare firefox to IE.. Firefox runs on windows better than ie as it isn't intergating itself half as much and thats the thing.

What exactly intergrates into linux nothing really most of it sits ontop of the kernel.
Making linux more secure :)

You won't get an argument there, I believe that current security measures are outdated not because they were bad but because the times have changed and we need to adjust accordingly. But for now we have to use these crutches.
Show us a better solution that microsoft has because that is what we are talking about...Adware...Spyware and virii
Also I think you'll find that dapper will contain a firewall and I think you'll find that most adware is registry related :)

Plenty of programs use net connections, NTP, gdesklets (some of them), remote desktop, etc... There are plenty of daemons running on a default Ubuntu box, they are not listening but that doesn't make the invulnerable, the ports aren't stealthed like they should be making it a real vulnerability.

No, they are not vulnerable if they are not listening and stealthing ports is a very, very bad security practice, as it will tip of any attacker about you using a firewall. Bad, don't stealth your ports.


Show me a single security expert that will say that you have no need for a firewall,

How about the Ubuntu devs, or don't they count?


in fact show me a single business that is connected to the internet w/o a firewall.
And this is relevant to the discussion how? Having a firewall protecting a corporate network makes sense most of the times, but as I already said, firewalls make sense in some occasions, in others like a default Ubuntu install, they don't.


No YOUR conclusion doesn't follow logically, if a system will be changed from its default state then security policy needs to be adjusted to respond to that change. For an average surfing da web, email, IM user the defaults make a huge difference sure but anything beyond that will change those defaults anyway.
In other words, if someone does stuff that would make installing a firewall a good idea, he should install a firewall, as I have been arguing all along.


Computes just fine, the default state of the system is no listening to the outside connections, no firewall rules. Installing software might change the "no listening to the outside" default but will leave the "no firewall rules" default. So the part of the system that says "there is no need for a firewall" has been changed, but a firewall was not enabled to begin with and if it is not enabled after it is needed the system is vulnerable. Do you see how the default setup has a flaw?

See above, no it hasn't a flaw. And I was refering to you claiming that defaults are more or less meaningless. What you just said is contradicting this other statement.


Not true at all, if Firestarter is installed by default and configured to allow the regular needed connections (HTTP, SMTP, POP, IMAP, NTP, FTP, etc..) to go through it would ensure that nothing that wouldn't use those ports could get connected to from the outside or go to the outside it would benefit the end user in a fairly transparent manner.

Etc., exactly. So it would be a swiss cheese anyway and apart from that it would ship a system by default that would be totally unusable for "normal" users, who don't even know what a port is.


That means nothing more than that there is a need for a real desktop firewall for Linux.
No, it doesn't. It means just that, iptables is not a desktop firewall. Now people are quite obviously of different opinions about wether one is needed or not. ;-D
And as I said, there already are desktop firewall for linux. Mandriva ships with one for example.


OK, I'll bite it and say that CURRENTLY there is no need for a firewall in Linux based OS's.

Sorry to be so anal, but there are of course many situations where firewalls are useful and needed on Linux.


Now just because there is no need for it NOW it doesn't mean there is no need for it in general. Would you agree that it makes sense to be prepared? When I was going to High School I had to get immunized against a number of different things not because I would get all or ANY of them (which I'm sure I wouldn't being pretty healthy) but because there was a chance I could get them.
As I don't agree that there isn't a need now, I have a hard time agreeing that they will be needed in the future. And I never claimed being prepared wasn't a good thing, but I think that having a desktop firewall is just useless.

No, they are not vulnerable if they are not listening and stealthing ports is a very, very bad security practice, as it will tip of any attacker about you using a firewall. Bad, don't stealth your ports.

Now I could be wrong, but wouldn't a stealthed machine just appear offline to whoever is scanning it?
How about the Ubuntu devs, or don't they count?
Ubuntu devs aren't neccesserilly(sp?) security experts.
In other words, if someone does stuff that would make installing a firewall a good idea, he should install a firewall, as I have been arguing all along.
If we are dealing with novice users they might not know that what they are installing needs a firewall. It would be awesome if we everyone online had decent computer knowledge but as we both now that's not the case.
As I don't agree that there isn't a need now, I have a hard time agreeing that they will be needed in the future. And I never claimed being prepared wasn't a good thing, but I think that having a desktop firewall is just useless.
We'll just leave it at that, after all opinions should differ otherwise its boring :)

This is interesting so if a computer is left as default take ubuntu as its got no listening ports out of the box.
Thats secure right
Install something and it sets up a daemon making it insecure correct?
Now excuse me if I'm wrong but isn't that a user error not a OS error.

As for microsoft they steal ideas and add to them to create a so called user experience where as linux is more about security.

It has to be a pretty nasty virus for it to infect a nix machine and lets compare firefox to IE.. Firefox runs on windows better than ie as it isn't intergating itself half as much and thats the thing.

What exactly intergrates into linux nothing really most of it sits ontop of the kernel.
Making linux more secure :)
Believe it or not but most OS's are used by people. It was never said that the OS itself is insecure by design it has been argued that ALL OS's are vulnerable since it's up to the user/admin to make sure it is kept up to date.
Just because nothing integrates into Linux doesn't make it anymore secure, Apache Slammer was the biggest example of a worm that propogated just fine despite Apache's lack of integration into the OS. It was also a good show of how administration makes the difference as far as security goes.

Show us a better solution that microsoft has because that is what we are talking about...Adware...Spyware and virii
Also I think you'll find that dapper will contain a firewall and I think you'll find that most adware is registry related :)
I never said MS is doing anything better. And if you want spyware for Linux check your cookie folder I'll bet that you got a few tracking cookies chiling in there ;)
Adware doesn't need a registry it just needs to be silently installed, doesn't happen in OSS simply because it cannot be hidden but proprietary software for Linux could easily install adware onto your machine, would be easy to clean sure but doesn't mean it's impossible to install :)

I never said MS is doing anything better. And if you want spyware for Linux check your cookie folder I'll bet that you got a few tracking cookies chiling in there ;)
Adware doesn't need a registry it just needs to be silently installed, doesn't happen in OSS simply because it cannot be hidden but proprietary software for Linux could easily install adware onto your machine, would be easy to clean sure but doesn't mean it's impossible to install :)
Cookies can be disabled...
Adware sure doesn't need a registry but it helps
Siliently installed....what about not being able to write to the system as it needs root .
Removing will be more safer on linux.
Next?
Also reread the threads subject

Cookies can be disabled...
Adware sure doesn't need a registry but it helps
Siliently installed....what about not being able to write to the system as it needs root .
Removing will be more safer on linux.
Next?
Also reread the threads subject
Doesn't need to be root, go to your home folder and enable "Show Hidden Files" you might see alot of interesting things ;)
Nothing I said contradicts the topic, in fact what I said fits into "Linux people are more honest" and Linux not being as widespread on the desktop as Windows. From a techincal standpoint it isn't much harder to create spyware/adware for Linux (it is harder to make worms and viruses and especially trojans) but from a practical standpoint it's pretty much useless.

Ok, I'm putting this in the beginers thread, because a lot of beginers (myself included) wonder whether or not to get an antivirus program for Linux and I think this serves as a good example as to why it's a good idea to have one even though linux can't get a virus.

I have an obsessoin with downloading music off of Limewire and Ares. I literally have a 20GB external HDD dedicated to backup files of music (and other "important" apps) So this afternoon I'm tooling around Limewire looking for a song on my desktop (which runs Ubuntu). I find the song and downlaod it. After downloading it, I wanted to copy it to my laptop (which runs Winows XP) But before doing so I figured it would be a good idea to run it through Aegis-Virus Scanner first. After all, you don't know where the song came fron now do you? And sure enough, Aegis found a virus on the song. But because I downloaded it in Ubuntu, my windows based laptop is safe. If I didn't have Aegis I would have just copied it to my laptop and given myself a virus (stupid me) LOL

Now, I know a lot of you out there are going to go "well, thats what you get for using Limewire, it's a virus waiting to happen." ....I agree, but my stance is that if your smart about what you download and what you do with it, you can catch a virus before it infects your system.


Anyway, Thats my 2 cents. I figured I'd share my story with you guys and hopefuly show some new people why it can be useful to have an antivirus even though Linux doesn't get viruses.

I'm curious...how does an .mp3 file get infected by a virus, and even if it did have a virus, MP3's aren't executable.

Was this anything to worry about?

isnt that an argument for running antivirus on your win laptop, rather than on ubuntu??

Well, I have antivirus on my laptop as well. But what I'm saying is that by having it on Ubuntu, I can scan the file before it even steps foot (so to speak) in my laptop. So the laptop doeesn't even get a chance to get infected in the first place.

Linux can and will get a virus. It is just that most of the people writing viruses target the widest, most unskilled, defensless audience they can find. Windows users. Why write a virus for linux when it is the small fry? Windows is where the numbers are. As more users move to other platforms like linux, the bad stuff will come with them.

Here is a little sampler. Mac users don't get viruses either.

http://www.cnn.com/2006/TECH/internet/02/21/apple.worm.reut/index.html

And if you don't use Windows at all you don't have to worry about it getting infected?

Wrong. Linux can get viruses. It just does not happen very often because there are not many wirtten for it. Always take security seriously if you need to be secure.

No not totally wrong.. Viruses need permissions to install and damage your system, so unless you are running as root (disabled by default in ubuntu), and have found a virus specifically targeted your system, you're ok. This mp3 virus would have no effect, because its designed for another system, and your music player isn't running with any admin priviledges, so the virus will not get them, thus being ineffective.

There are a lot of other reasons that linux is more secure than the lower user-population. You'll find a lot of discussion on this over the net, and plenty on ubuntuforums

Linux is more secure. There is no debate there. But it is never good practice to ignore security under the assumption that your system cannot be compromised. That is simply irresponsible.

For me personally, I don't do anything special to secure my box, because I don't have anything to lose. I install a new OS about once a month anyway.

If you have stuff you want safe, you need to take measures to keep it safe. You can do this for free in linux. Firestarter and clamava are just a couple of tools you can use.

Here is a link from Fedora forum about security tools. It is a very good post and most all of it applies to Ubuntu as well.

http://forums.fedoraforum.org/showthread.php?t=52270

a little reading on the subject from different perspectives.

http://viruspool.vanderkooij.org/virus.cms

http://www.vnunet.com/vnunet/news/2143697/grisoft-warns-linux-virus

http://lxer.com/module/newswire/view/31417/

http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/

http://librenix.com/?inode=21

http://www.linuxdevcenter.com/pub/a/linux/2001/09/18/insecurities.html

http://www.desktoplinux.com/articles/AT3307459975.html

http://news.bbc.co.uk/1/hi/sci/tech/1123827.stm

http://securityresponse.symantec.com/avcenter/venc/data/linux.rst.b.html

http://www.claymania.com/unix-viruses.html

Wrong. Linux can get viruses. It just does not happen very often because there are not many wirtten for it. Always take security seriously if you need to be secure.

You should always take security serious, but AV is not a good security solution, though it currently serves as a substitute.

As I've written before, AV only protects you against known threats. That means a window of opportunity from the moment of the intial spread of an infection to the point where there are signatures for your scanner.

Having a good firewall, not running with admin privileges etc will do a lot more then AV.

You should always take security serious, but AV is not a good security solution, though it currently serves as a substitute.

As I've written before, AV only protects you against known threats. That means a window of opportunity from the moment of the intial spread of an infection to the point where there are signatures for your scanner.

Having a good firewall, not running with admin privileges etc will do a lot more then AV.

Exactly.

Yes, all these are good (or should I say bad) if you run your system as root. Not to mention that you need to run the virus script to activate it(eg. sudo sh run_me_free_porn.sh and then you have to enter your password). As most of the libs/application/programs you get through a known source (apt-get .deb package) the chance to get a virus is 0.0001%

Also each linux distro is diffrent makes it very difficult to write a virus that hit all linux/unix/etc. So you might make a virus that work on Red Hat but it won't work on debian as an example

So i know most ppl believe that virsuses on linux are a no-show... but, let's say you download some program and install it. Then say the program requires root priveleges to run, then theoretically can't it do anything it wants to?

I run firestarter and I run it as root, but I trust it is doing what it is supposed to be. I've never checked the source and I don't think most people have the time to check the source. I'm quite convinced that it is not malware, but I am not 100% certain and my trust is based on the fact that if it were, someone in the community would discover this and let everyone else know.

That's a very different paradigm than using an anti-virus scanner where you trust that the anti-virus application is doing what it is supposed to and you trust that the company maintaining it will keep your system up-to-date on the latest virus definitions. I'm not arguing whether one is better than the other - I personally do not know.

The point is that the threat is there for Linux. I may be off here, which is why I'm posting because I'd like to get feedback. I'm also wondering if people know of a good way to block all outgoing connections from your computer and then allow them one by one. I used the restrictive policy on Firestarter, but then I don't know how to add specific applications to allow them to make outgoing TCP connections. It just blocks everything and then it seems like you can allow them by port or by destination, which is not really what i want.

Thoughts appreciated.

So i know most ppl believe that virsuses on linux are a no-show... but, let's say you download some program and install it. Then say the program requires root priveleges to run, then theoretically can't it do anything it wants to? Yes, it can.

I'm also wondering if people know of a good way to block all outgoing connections from your computer and then allow them one by one.Don't use firestarter. Do:sudo iptables -F OUTPUT
sudo iptables -A OUTPUT -j LOG
sudo iptables -P DROPAnd add output rules as you want.

There's no point in oding this though. IF you're that paranoid, just stop using the computer, frankly. Egress filtering on a desktop is rarely worth the value, unless you know something bad is going on.

I used the restrictive policy on Firestarter, but then I don't know how to add specific applications to allow them to make outgoing TCP connections. You can't. The kernel firewall doesn't make it very practical. The amount of matching it can do on application isn't fine-grained enough or even working.

Of course, how can you trust anything unless you look at all the source code and actually know what to look for?

This is very different from haphazardly downloading and installing any program from any site.

Firestarter is in the repositories--Ubuntu repositories. If, somehow, those Ubuntu repositories got breached, we would soon know (one would like to think), and if they're not breached... well, then you're just saying the Ubuntu developers are sneaky and evil and hid something in the .deb packages they put in the repositories.

You could argue that the value of open-source is the fact that the
source is open and you can check it yourself to see if it is malware, and clearly there is value in that. However that is not a practical solution for most users - or "Human Beings" to use the Ubuntu motto. I consider myself an advanced user, but personally I just don't have the time to check every piece of software. Average users wouldn't even know where to start. And the repos are not the only place to get software for Ubuntu.

I'm thinking about the scenario where Linux is widespread amongst
consumers - how exactly are they protected from viruses if when an
application is run as root (as many are) - it can do whatever it
wants? And to install most applications you have to be root, which
then would allow the install script to place a startup script in your
init.d directory. As an average user and without an anti-virus tool,
if you installed something malicious you wouldn't have a clue what's
going on. In fact, right now I don't know if I have anything
malicious on my linux PC - I might...

The point is I would want to give user's the freedom to install and try different types of software. And i'm sure they would want an OS that will protect them in the case where they make a mistake and install something malicious. Right now I don't see that being the case. Unless of course we switch back to the traditional paradigm of anti-virus applications. I myself trust open source software so much that I don't even know what the state of anti-virus is for linux.

I'm saying that if Ubuntu is to become "Linux for Human Beings" then this is something that needs to be thought of. Perhaps it has and I don't know - that's why I'm placing it on the forum.

well, then you're just saying the Ubuntu developers are sneaky and evil and hid something in the .deb packages they put in the repositories.Or, far more likely, upstream was compromised and compromised source made it in undetected.

I'm thinking about the scenario where Linux is widespread amongst
consumers - how exactly are they protected from viruses if when an
application is run as root (as many are) - it can do whatever it
wants?They're not, just like you're not protected from most things as Administrator on Windows or anything as LocalSystem.

But, the amount of stuff that runs as root on a desktop is precious little, and most of it would be non-trivial to compromise. It'd require local-code excecution, for starters. Now, that is possible (i.e., firefox as an execution vector) but tricky. It'd be a rather sophisticated attack, to say the least.

The point is I would want to give user's the freedom to install and try different types of software. And i'm sure they would want an OS that will protect them in the case where they make a mistake and install something malicious.Such an OS doesn't exist, presently. The first rule of any CAPP system is that the Administrator does no evil. Obviously, that's a potentially flawed assumption, but all operating systems in common use assume it.

Unless of course we switch back to the traditional paradigm of anti-virus applications.Anti-virus software is a reactionary measure. It can only prevent so much. It can't defend against many exploits (including the kinds that typically happen on Linux).

Nothing is gonna stop a stupid person from doing stupid things. (I should know ;) ) Most malware wouldn't ask you to dl and install it ;) When it comes to Linux it is very simple not to fall into the social engineering trap. Just don't install any program you are unsure off, anything in the official Ubuntu repositories can be trusted by default since a breach would be communicated and those programs ARE checked. Unless of course you don't trust Ubuntu developers well in that case you shouldn't be using the OS ;) The only threat you should be worried about is the things that don't require user action to do the damage, for those you got a few choices:
1) A good firewall - generally stops worms and port scans.
2) Keeping your system up to date - install the patches ASAP when it comes to Ubuntu it's real easy and they are thoroughely tested (though sometimes they do break things this is inevitable)
3) Get a Linux A/V - I don't remember what company actually makes it, but there is one that actually scans for Linux viruses in addition to Windows ones.
If you are really really paranoid, get OS/2 Warp AFAIK there is no malware for it it's mad obscure.

I don't think there's anything you can do about it.

You're absolutely right--if people stray outside of the repositories, who knows what they'll download and install?

At this point, open source generally means "trustworthy," whereas freeware generally means... "possibly spyware/adware/whatever." That can easily change, though. There's nothing inherent in the structure of open source software that makes it necessarily trustworthy, especially if most users have neither the means nor the time to examine the code before installing the software.

If Linux becomes more popular, malicious software will be developed for it in great numbers, and people will have to be more careful about what they install.

It is not enough with a secure system, a secure user is also needed. You can live in a nuke safe bunker but if you give the key to a burglar then it'll still be compromised. Yes, when Linux becomes more popular among non geeks it will maybe become a common tatic to try to fool unaware users into manually installing trojans.

One possible solution is to double check with someone else who actually has examined the source code before you install something. Perhaps Ubuntu or some other trusted authority on Linux software could examine the source code of programs and provide security ratings the users can check before installing a program. It could be convinently displayed next to programs in Synaptic. For downloaded files the user could right click and select "check security info", the file's md5 checksum would be sent to a server that would return the security info for that file.

At this point, open source generally means "trustworthy,"No, it doesn't. That's why we go to great length to provide assurance the code that is bulit is actually code that should be built.

Assurance of source integrity isn't an easy problem. Assurance of source correctness is an even harder one, and also important.

One possible solution is to double check with someone else who actually has examined the source code before you install something. Perhaps Ubuntu or some other trusted authority on Linux software could examine the source code of programs and provide security ratings the users can check before installing a program.This is impractical. OpenBSD has a codebase that's several orders-of-magnitude smaller (~200 MiB, all under their control) that's heavily security audited and they haven't found all the flaws.

It's a nice idea, just wholly impractical.

I have more thoughts on this, but I'm wondering if anyone knows the details of Security Enhanced Linux (SELinux). I'm reading about it now but would appreciate a summary if anyone already knows. How is it different from the current paradigm of using uid's, gid's, and ownership info to separate priveleges? And is it part of the kernel already? If so, how is it used?

I have more thoughts on this, but I'm wondering if anyone knows the details of Security Enhanced Linux (SELinux). I'm reading about it now but would appreciate a summary if anyone already knows.It implements two things Linux currently doesn't use, role-based access control (RBAC) and mandatory access control (MAC).

Under an RBAC system, you don't use solely your user and group membership for accessing privilged functions. You use an abstract concept called roles, which are security tokens that give you privilege to do something. Roles are added and removed from a process's privileges as necessary.

The concept is similar to having supplementary groups, but membership in roles isn't static. One could have a role for network login vs. local login and grant membership in the role based on how you login, for example.

MAC is a privilege system where no process can ever override the security checks. Under Linux, root can and does bypass all security checks (this is a slight simplification, but it's effectively true). Under MAC, that becomes impossible. Root cannot override the privlege system.

And is it part of the kernel already?Yes.

If so, how is it used?Carefully.

Carefully.
Thanks for the summary. Although "carefully" was not exactly what i'd hoped for on how to use this.

From what I understand, it seems like this might be able to give me more fine-grained policy tuning. I came across the following page https://wiki.ubuntu.com/SELinux which gives a summary of the state it's in for Ubuntu. It says "In short, with SELinux you can define explicit rules about what subjects ( users, programs ) can access which objects ( files, sockets, devices ) and in what conditions depending on fine-grained settings (macros, types, roles...) provided within a compiled, binary policy file with a complex and flexible configuration language."

Is there a HOWTO on this - i've been looking around for one and can't find any in the forums.

Thanks for the summary. Although "carefully" was not exactly what i'd hoped for on how to use this. You're right, the correct answer is, "Don't bother".

From what I understand, it seems like this might be able to give me more fine-grained policy tuning. Yes, but at great pain. You can read the NSA stuff if you don't believe me, but this level of privilege control is incredibly hard to get right.

Is there a HOWTO on this - i've been looking around for one and can't find any in the forums.Not AFAIK, and with good cause. There's a reason there's only a few operating systems on the planet that use these sort of controls and why they see limited use anyway.

you should check out the grsecurity patch for linux kernel, its easy to setup and greatly increases linux security, SElinux looks very difficult to setup

waiting for grsecurity to release 2.6.15 patch...

http://www.grsecurity.net/

Also you gotta remember that security is not about being impenetrable there is no such thing (short of a machine that is completely unplugged from everything including power and is burried in a block of reinforced concrete with no way to get in) it's about making it hard for someone else to get in. As it stands right now your default Ubuntu install will deter anyone who is not specifically targeting your system (provided you have a good password and install your patches). If you are being targeted however nothing is gonna help you.

When linux gets some serious attention sure we will see some programs with trojans but most of the apps that will be supported will be binary.
Trusted sites such as apache give you the md5 checksum before installing so you can check if a file has been messed with.
But basicaly don't mess with programs outside the repos.

Even when Linux gets much attention and probably more virus/trojan/worms/etc writers, I think the probability of these doing critical, widespread, and long-term damage is lessened due to the fact that programs made to run for Linux are required by GPL to produce the source code, opening it to scrutiny from many people, some of whom would have the knowledge to counter malicious attempts.

As it stands right now your default Ubuntu install will deter anyone who is not specifically targeting your system (provided you have a good password and install your patches). If you are being targeted however nothing is gonna help you.No, that's no true, unless they just out and out remove firefox, for starters.

Trusted sites such as apache give you the md5 checksum before installing so you can check if a file has been messed with.As I said, while good, this isn't enough. What happens if the code is checked into Apache CVS?

Even when Linux gets much attention and probably more virus/trojan/worms/etc writers, I think the probability of these doing critical, widespread, and long-term damage is lessened due to the fact that programs made to run for Linux are required by GPL to produce the source code, opening it to scrutiny from many people, some of whom would have the knowledge to counter malicious attempts.
Since when is the GPL a requirenment for a Linux program? ::looks at Opera::

No, that's no true, unless they just out and out remove firefox, for starters.
There aren't many auto exploits for Firefox that I know of, and ones that are around are targeted at Windows, not to mention that FF doesn't have root permissions (unless you crazy enough to run it as root). I'm sure there are a few others ways to compromise a default Ubuntu box but as it stands they all require a directed effort i.e. there is a person on the other side trying to get it, as opposed to your normal worm that just attacks w/e hole it is meant for. Also a default Kubuntu install doesn't use Firefox at all. (I consider Kubuntu to be part of Ubuntu).

scrap what I said... I was thinking about GPL software and completely didn't see Opera and whole lot of stuff (w/c I don't use anyway). But still, these programs are from well-known organizations. The only problem will be if these companies are compromised themselves. But then, it wouldn't be Linux's fault, would it? :D

Correct me if I'm wrong: Even if you unknowingly installed (of course as root) something with a malicious code, wouldn't that program still need root permission every time it is run in order to access root-property files?

There aren't many auto exploits for Firefox that I know of,There are plently, just like there are plently floating around the web for IE.

and ones that are around are targeted at Windows,Wrong. There's working remote-code execution vulnerabilites for firefox in Linux in the wild.

not to mention that FF doesn't have root permissions (unless you crazy enough to run it as root).You can still do plently of relevant damage as the regular user, including install virii, trojans, run an IRC bot, etc.

I'm sure there are a few others ways to compromise a default Ubuntu box but as it stands they all require a directed effort i.e. there is a person on the other side trying to get it, as opposed to your normal worm that just attacks w/e hole it is meant for. No, wrong. Any software that can be compromised like Firefox is automatically at-risk. There's no directed effort about it. In fact, what's doing the exploiting isn't even the picture. I don't see, in this case, how being a human gives you any more advantage to leverage a known security flaw. And if you don't know about the flaw, you're going to research and discover it first, not randomly send garbage to FF or gaim in the hope it breaks.

Also a default Kubuntu install doesn't use Firefox at all. (I consider Kubuntu to be part of Ubuntu).In this case they must be considered seperate.

Correct me if I'm wrong: Even if you unknowingly installed (of course as root) something with a malicious code, wouldn't that program still need root permission every time it is run in order to access root-property files?Yes, but the assumption is you wouldn't run it a second time. It'd compromise you on install.

Wrong. There's working remote-code execution vulnerabilites for firefox in Linux in the wild.

Vulnerabilities being holes in the software or actual software that uses those holes? (You gotta agree there is a huge difference)
No, wrong. Any software that can be compromised like Firefox is automatically at-risk. There's no directed effort about it. In fact, what's doing the exploiting isn't even the picture. I don't see, in this case, how being a human gives you any more advantage to leverage a known security flaw. And if you don't know about the flaw, you're going to research and discover it first, not randomly send garbage to FF or gaim in the hope it breaks.
Well this is kinda contingent on my previous question. A human has the ability to run different tools to exploit the box depending on the situation. A for instace would be a vulnerability in FF giving access to a vulnerability in other software FF can interact with that might not be included in the script/worm that is exploiting the original vulnerability.

Vulnerabilities being holes in the software or actual software that uses those holes? (You gotta agree there is a huge difference)Both. Check secunia.org if you don't believe me. Working code-execution exploits exist for Firefox on Linux.

And I'm personally of the mind that there very well may be more found before all is said and done.

A human has the ability to run different tools to exploit the box depending on the situation.Wonderful, but an exploit through FF wouldn't work like that. You don't exploit FF and suddenly get a shell or anything. And an automated worm can just as easily do what's required to execute the exploit in the first place. In fact, the code used to accomplish that is usually identical: When you first launch the worm, it runs the same code as it does on a compromised system.

A for instace would be a vulnerability in FF giving access to a vulnerability in other software FF can interact with that might not be included in the script/worm that is exploiting the original vulnerability.But how am I going to compromise that second piece of software unless I planned for it? It's not like I can just arbitrarly run whatever code I want in FF whenever I want, however I want.

I have more thoughts on this, but I'm wondering if anyone knows the details of Security Enhanced Linux (SELinux).

You don't want to trust anything created by the US government, especially its "National Security Agency".

You don't want to trust anything created by the US government, especially its "National Security Agency".:rolleyes: Because being written by the government makes it suspect, even though they deploy the most correct and secure code in the world, right?

And ignoring the whole fact, that: If you don't trust them, you need to stop running Ubuntu. SELinux is in 2.6. The source code is available This doesn't have a thing to do with crypto where it would be conceptually possible for them to create a backdoor in the algorithm that would be near-impossible to track down.

If all you're going to spout is mindless, ignorant paranoia, please don't. This doesn't help anyone. And it's patently absurd.

Maybe his point was that it's quite difficult to trust someone who is (at least now) know for invading privacy with your security. It's like trusting a thief to sell you a security system. But then again, perhaps they're experts in security that's why they can easily circumvent it.

Putting political stuff aside, I agree with LordHunter, because I think that security isn't really dependent on the desktop environments and its applications. Rather the DE's and apps are actually dependent on how the kernel implements security. I'm no security expert, but that's just how I see things. I may be wrong. :D

Putting political stuff aside, I agree with LordHunter, because I think that security isn't really dependent on the desktop environments and its applications. Rather the DE's and apps are actually dependent on how the kernel implements security. I'm no security expert, but that's just how I see things. I may be wrong.
You actually seem to have missed his point. He pointed out that you can use Firefox as a venue for attack regardless of any security you have implemented. Security is a complex question (not in the sense that it is difficult rather in the sense that it has many dimensions) there is the underlying design of the OS that deals with rights and access control and policies and such, there are apps that run on top of the kernel that can be exploited, there is remote access policies, and the most important one of all there is the user. If you want to be secure YOU need to be aware of all the different aspects of computer security.

Oh I see. I was just thinking that flaws in the software that are used the compromise security are successful because of "holes" in the kernel that can be exploited; that if the kernel, by itself (without any security apps like anti-virus, firewalls, etc) has some security flaws, then a security attack will always be possible, and probably the best way to do it will be through software with their own exploitable security issues (like Firefox). But I guess that's just one side of the security issue.

You're right, computer security is a very complex beast. And I don't expect to learn everything in a year's time. I just get by with what I learn from here. Thanks for the info. :D

Maybe his point was that it's quite difficult to trust someone who is (at least now) know for invading privacy with your security.No, I think he had meant that, he would say this. This sort of kneejerk reaction comes up almost everytime the NSA is mentioned as the authors of SELinux, nevermind all the other people who have their fingers in the pot: NIST, Red Hat, a bunch of government contractors, JHU's APL.

But then again, perhaps they're experts in security that's why they can easily circumvent it.Exactly. Far simpler, this stuff is intended for their own use. Why would they put backdoors in something they're using?

One could make the argument that only published code has the backdoor, but even that makes little sense. NSA has a mission to protect IT assets of American businesses as well, a break-in at a bank could be disasterous. They have a vested interest in improving information security overall.

Putting political stuff aside, I agree with LordHunter, because I think that security isn't really dependent on the desktop environments and its applications.Yes, it largely is. A secure system requires a secure implementation at all levels.

Rather the DE's and apps are actually dependent on how the kernel implements security.They're dependent, but that doesn't lead to that the kernel is the only thing that defines platform security. At most, it means that flaws in kernel render everything else meaningless.

But a bug in firefox is still a bug and a potential problem, even under SELinux.

Oh I see. I was just thinking that flaws in the software that are used the compromise security are successful because of "holes" in the kernel that can be exploited;Rarely. The amount of kernel-level holes is generally pretty small comperatively. That's not to say they're non-existant, but the kernel is generally treated with more care because the consequence is a complete privilege bypass almost unilaterally.

I could be wrong, but, wouldn't increasing your security increase the possibility of a breach?

Thinking about it, newbies hackers/script kiddies that just want some fun, probably can't really do anything to linux users from the start, and the ones that can couldn't do much and would just probably do some "fun" stuff without damaging too much.

However, a pretty good/pro hacker would look for the computer with the most security since it's more liable to have important information that's worth stealing, am I wrong? So wouldn't they really go at a computer with very hard to add yet well-guarded security rather than someone with just "Good enough" security to maybe turn away the newbie hacker?

Just a thought.

OT: Wow! This is so great! I'm learning a lot here. Thanks Lord Hunter and prizrak! Now I have two more Linux authorities to look up to. \\:D/

I could be wrong, but, wouldn't increasing your security increase the possibility of a breach?Not especially, no.

Thinking about it, newbies hackers/script kiddies that just want some fun, probably can't really do anything to linux users from the start, and the ones that can couldn't do much and would just probably do some "fun" stuff without damaging too much.Most of them are running tools written by real hackers or security people.

They're in a lot ways, just monkey playing with fire. They're not smart enough / daring enough to use it for what it's capable for, but dangerous nonetheless.

However, a pretty good/pro hacker would look for the computer with the most security since it's more liable to have important information that's worth stealing, am I wrong?No, not at all. More importantly, they know you have nothing of serious value, beyond your identify personal information (e.g., SSN). And if I'm looking for that, I'm going to take the person who's data is the easiest to steal because there are so many easy targets.

Consider it this way: Given a row of cars with half having stereos with no faceplates, and the other having faceplates, the most likely stereos to get stolen are the ones with faceplates.

Generally, if I'm looking for something of value that's unique, I'm going to attack it anyway regardless of what you do. The most relevant example is a Ferrari or other exotic: it's a target no matter how much security you put into it.

Something like bank records is the same way: your odds of being attacked don't go down no matter how much you secure your data. However, your odds of successfully being compromised likely decrease.

The reason is because I know the bank records are valuable.

Attackers after information just don't attack machines unless they know they have something of value (or unless it'll lead to a machine with something of value).

I suppose I should clarify that last statement: Attackers looking for information of value won't attack a machine unless they think it has or will lead to valuable information.

Plenty of attackers are just interested in turning your machine into a spam or botnet, and they could care less about the rest of your computer.

OT: Wow! This is so great! I'm learning a lot here. Thanks Lord Hunter and prizrak! Now I have two more Linux authorities to look up to. \\:D/
LOL, I wouldn't call myself a Linux authority. Like most of us here I'm still learning :)

So basically if you make a mistake, which we all do - the you're screwed. The nice thing about anti-virus software is that if you make a mistake and install some malware then you can later go and remove it with your anti-virus. Is there no equivalent to this on Linux? Do the existing anti-virus applications (Clam, etc) use any type of heuristics to detect malicious code?

Well on the windows platform back in 95-99 most of the virii were intended to destroy these days virus writters aim to use your computer as a botnet to DDoS so you wouldn't get a chance to save your files if you got infected. Beaware not all virii is known to anti virus software[B][U]
Root kits do exist for windows just as they do for unix based system such as BSD, Linux and Mac os X they are basicaly grant the user root access to the system.

Trojan horse:
Also known as rootkits you need to install these yourself.
A famous common trojan horse was the famous SubSeven 7 this basicaly granted access to your computer from a remote host.
Trojans again can do a number of jobs... delete files, open files...

Virus/Virii ( The plural of virus):

Its job to infect files and spread.
It changes files to spread itself.
Deletes, open ports... nasty ****


Worm:
self replicating can create backdoors and usually spread across a network to other hosts will cause you trouble with your network they can also delete files.

With the kernel being patched all the time its harder for virii and worms but root kits can be applied to a unix based system which is why two great programs exist.
These two programs are called rkhunter nand chkrootkit.

Best way of getting rid of rootkits?
Reinstall... rootkits can be a bitch to remove I don't know how to remove one if I got one.
Thats why its good to keep your home seperate from /

If I have missed anything or have confused anything Please just correct me.

Virii ( The plural of virus)
Actually, the plural of virus is simply 'viruses', not virii.

Actually, the plural of virus is simply 'viruses', not virii. Yes. I concur.

Definitions of virii on the Web:

* In the English language, the normal plural of virus is viruses. This form of the plural is correct, and used most frequently, both when referring to a biological virus and when referring to a computer virus. The forms viri and virii are also used as a plural, although less frequently. There is disagreement among users of the Internet over whether these forms should be considered correct. No reputable printed dictionary includes them as correct forms.

Http://en.wikipedia.org/wiki/Virii

But yeah each to his own I personaly prefer the term virii

1.) viruses sounds too formal
2.) easier to say
3.) virii will get you better search results

virii, if pronounced in the proper Latin way is not easier to pronounce than viruses, as you have the same number of syllables but duplicate and adjacent vowels.

Hmm...
I took up Latin so...
viri - is the Latin plural of the word "vir" which means "man". (so viri means "men")
virii - if this were the plural, the singular would have to be virius.

There actually wasn't a plural form of the Latin word virus. It only gained a plural form in English, so the proper plural should be viruses.

EDIT: I forgot another possibility. What if (in Latin) the plural of virus is actually virus?! There are nouns in Latin that are like "sheep" in English (the plural of sheep is sheep, right?).

(This is getting a bit off-topic :D)

how about we take this back on topic rather than "the proper use of english".
But no matter what OS you do choose you'll experience holes.

For instance Mac OS X contains alot of old BSD Holes which haven't been patched and with opensource allowing forks sometimes the forks never get patched like their counter parts.

Yeah, getting back on topic.
Not all "mistakes" will screw up your Linux system. I guess it all depends on the kind of malware/virus/rootkit/worm that entered your system. If by any chance it was a virus, a good anti-virus would be able to solve it (not always). malware (spyware/adware) is almost impossible to get. Worms I think do not generally affect us, but might affect other non-Linux systems connected to us (not entirely sure). I guess the biggest threat is really rootkits.

But this also goes true for Windows. It depends on the degree of damage that is done. There will be malware/virus that would only produce annoyance, there will be some that will cause critical damage.

Hi I want to know if it's possible to get spyware/adware/viruses/worms/whatever malware there is, on ubuntu? I have read on some sites that it is impossible for some of these things to happen on linux but how true is that?
And if there are, what are ways or apps to prevent them?
(Also my computer's network is not connected to any windows or mac computers)
Thanks in advance.

its possible with all above but it is very very rare in Linux, people can discuss why but so far the badware makers seems to have failed to infest Planet Penguin as much as Microsoft Windows.

Apple OSX has been a little more threathened lately and experts say this is because the platform is getting more popular and thus a target for more badware.

If this theory is true you will be much safer on Linux, a llittlebit safer on Apple and tottaly screwed on Windows.

it is nie on immpossible. there maybe some genius' that may do it, but there not going to target you. but i state that thee fact of it being impossible is very true as i have never got anything. u will never pick anything up i bet in the whole time u use it, if you want to be on the safe side. install a firewall, e.g. Firestarter.
i have a firewall before the gateway to my network so there is no need, but i still have firestarter installed. there is antivitus' but i dont use them, as they wont find anything!
hope this helps

Searching the forum with the word virus, revealled this link (http://www.ubuntuforums.org/showthread.php?t=136064&highlight=virus) among others.

Thanks for the quick replies and yes this information does help.

thats great. as i said, you wont ever get anything i bet!
that is one reason why i use it, so secure. so stable. Good to use aswell!
If you dont have it aleady get it, if you do GREAT keep using it hehe

you have to think of others not just yourself. what I mean by that is if you get an email with a virus and you think it's worth forwarding to your friends, you end up sending that virus to your friends. Guess who's not getting invited to the next BBQ?

The more useful reason to have an anti-virus is to catch the virus/worm so you don't spread it.

yeh good point, still i never get them in my mail. dont give my mail address.
still no need for it. gotta watch out tho still for virus' etc etc...
Dont want to send them on, i will end up fixing their pc as usual hehehe.

Well, I use aegis anti-virus and firestarter firewall software. To date, I have found one virus in my time using Linux - one of my windows media codecs was infected!!!

I use clamav for antivirus.

Think it's in universe.

If you're really worried, type 'virus' in the Synaptic and it will get you a AntiVirus program. Probably no REAL need to have it, but hey - you never know...

ok.. here is how i gotta put this.. since this came up at work the other day.

Think about what a MAJORITY of people in the United States and around the world for that matter...use for an os... ill give u 1 guess.

thats right... WINDOWS so therefore, adware, spyware, and virus creators are going to create these files for the largest OS in majority because it will affect the most amount of central users. This works out for us here in the ubuntu community... linux is pretty dang secure as is, however, making small additions in security nvr hurts.

i didnt believe that it was adware/ spyware, and virus free..i purposely went where i new there were trojans and such on sites.. lol nothing happened. Also, most viruses that would be even written for linux.. would prolly be for a server, not a desktop most likely.. so nothing to worry bout bro... hope u enjoy it like so many of us.

It is largely about exposure. Linux is still a rather small part of the computer world, so virus developers spend little time even trying.

Windows is huge, so it is like a giant target all over the world for hackers.

Of course, Mac OSX has been getting a lot more popular lately. One big sign is that viruses, trojans, etc. are suddenly becoming a much bigger problem for the Mac faithful.

Good old Linux. Too small to be noticed, too big to ignore.

It is largely about exposure. Linux is still a rather small part of the computer world, so virus developers spend little time even trying.

Not about exposure. If that was true, then you would hear about viruses, worms, and trojans for web servers which 2/3 of them run Linux.

It's about design. Linux is designed with separate root and applications. In fact, in some distros, root is not set up with a password. It's there, but you have to set up the password yourself. Windows, on the other hand, defaults to set up with no separation between the root and the applications. So once malware is in, it can go anywhere. Yes, you can set up limited accounts in Windows, but limited accounts is not the default.

I think installing some precautions would be wise if one were just switching over from M$. My job requires me to use Skype (Or is that a Ubuntu alternative?). I installed Firestarter, and got a virus hit with Skype...:(

Not about exposure. If that was true, then you would hear about viruses, worms, and trojans for web servers which 2/3 of them run Linux.

It's about design. Linux is designed with separate root and applications. In fact, in some distros, root is not set up with a password. It's there, but you have to set up the password yourself. Windows, on the other hand, defaults to set up with no separation between the root and the applications. So once malware is in, it can go anywhere. Yes, you can set up limited accounts in Windows, but limited accounts is not the default.

Amen! http://www.theregister.co.uk/2003/10/06/linux_vs_windows_viruses/

I think installing some precautions would be wise if one were just switching over from M$. My job requires me to use Skype (Or is that a Ubuntu alternative?). I installed Firestarter, and got a virus hit with Skype...:(
Skype is available for linux and I have had it running on ubuntu for several months now.

See the following:
https://wiki.ubuntu.com/SkypeHowto?highlight=%28skype%29
http://skype.com/download/skype/linux/
Also searching these forums may help. There have been numerous discussions about Skype here - there are several people using it.

Good luck and post again if you need help.

I think installing some precautions would be wise if one were just switching over from M$. My job requires me to use Skype (Or is that a Ubuntu alternative?). I installed Firestarter, and got a virus hit with Skype...:(
How do you know that? Firestarter is not antivirus program. It's a tool to controll your firewall..

Anyway, here's a cool article about running Windows viruses with Wine, or at least trying to run them :D : http://os.newsforge.com/article.pl?sid=05/01/25/1430222&from=rss

you have to think of others not just yourself. what I mean by that is if you get an email with a virus and you think it's worth forwarding to your friends, you end up sending that virus to your friends. Guess who's not getting invited to the next BBQ?

The more useful reason to have an anti-virus is to catch the virus/worm so you don't spread it.

The way I see it is that it's up to each individual to protect their own machine.

Anyone running windows should have a firewall and antivirus so any virus email or file forwarded to them on purpose or by mistake should be picked up by their antivirus and destroyed. If that person doesn't have security in place then it's their own fault!

I won't install antivirus on my Linux machine to protect other users!

The way I see it is that it's up to each individual to protect their own machine.

Anyone running windows should have a firewall and antivirus so any virus email or file forwarded to them on purpose or by mistake should be picked up by their antivirus and destroyed. If that person doesn't have security in place then it's their own fault!

Perhaps so, but that's a pretty cold and callous attitude.

I won't install antivirus on my Linux machine to protect other users!

See above. So you'd rather help the hackers out by spreading their garbage to other computer users? :-k Whatever floats your boat though.

If people are stupid enough to run windows without security then that's not my problem. I could install antivirus sofftware and do my part but they'll only get a virus from elsewhere...

Not about exposure. If that was true, then you would hear about viruses, worms, and trojans for web servers which 2/3 of them run Linux.

It's about design. Linux is designed with separate root and applications. In fact, in some distros, root is not set up with a password. It's there, but you have to set up the password yourself. Windows, on the other hand, defaults to set up with no separation between the root and the applications. So once malware is in, it can go anywhere. Yes, you can set up limited accounts in Windows, but limited accounts is not the default.


OK, I will revise my post. I still think exposure and sheer numbers is important. But I have to agree that system design is also critical.

I have two thoughts to add:

Web Servers: Yes, it is true that Apache and Linux handle huge portions of all internet traffic. However these are not vulnerable systems (generally). The people in charge of this would be secure no matter what they are running. They go to great lengths to be safe, so the operating system they use is kind of moot since they are so cautious. Contrast this with the average windows user, who thinks security updates are optional and will open email with any attachment imaginable.

Default root: I totally agree that it is a massive weak point of Windows to make administrators so common. I think it will be interesting to watch what happens as Vista gets released, since they have finally learned from the rest of the computing world and changed their default behavior.

Avast.co have just released an antivirus for linux. I downloaded it today, it runs from the folder it's extracted to (no fancy installation needed).

The update of definitions and scan both worked okay.

I think this is their first version for Linux, and they could do with our encouragement!:)

If people are stupid enough to run windows without security then that's not my problem. I could install antivirus sofftware and do my part but they'll only get a virus from elsewhere...
Well, that's kind of a cold way to say it, but I agree. I tell all my friends, "you want to be safe? give me an evening with your computer and an install CD, I'll make you safe. not willing to take the plunge? then get a decent anti-virus package and about five anti-spyware utilities and stop calling me asking me to fix your box." I am more than willing to sit down and show someone how to do that, if they're really set against switching to Linux. But if you're just too lazy/apathetic, then you cease to be my concern.

Someone else's bad practices != Pete's problem

If people are stupid enough to run windows without security then that's not my problem. I could install antivirus sofftware and do my part but they'll only get a virus from elsewhere...


Maybe so, but the point is they wouldn't get it from you. Sure, you're not responsible for their box, but by taking such a callous attitude and saying something like "well, if I'm spreading viruses, it's their fault for not protecting themselves" you just become another part of the problem.

Anyway, I guess this isn't worth debating, as I doubt we'll see each other's points of view.

goodness, this debate still is going on?!

Let's just say that maybe his family (mom, grandma...whatever) was running M$ and he forwarded a funny picture that had some worm. Wow, now his family is infected because _simon_ didn't care about spreading viruses. It's not his problem, because grandma didn't know that her AV is out of date. Of course the rebuttal is "Well, I spread the wonders of Linux to my family".

sorry, I needed a quick laugh.

Apple OSX has been a little more threathened lately and experts say this is because the platform is getting more popular and thus a target for more badware.


To be frank, though OS X is also based on Unix (BSD), they are doing it to themselves.

Users are running with way to much privilleges and some folders are open to everyone to drop file in (which can then be executed).

This makes a Mac easier to use for novice users, specially Windows converts, but at a price.

The popularity == insecurity dogma is basicly flawed because it would mean that on servers, Apache and Unix would be the prime target and Windows/IIS would be left alone, yet the opposite is true.

If windows would completely disappear though, crackers would turn to Linux as their prime target and they will succeed but not with the great ease they do today, which will put a lot of them off. The ones doing it for a profit would remain though.

It would seem to me that the whole Open SOurce Architecture offers enough checks and balances with different porgrammers working with the source files enough to recognize when anything unusual or malicious might show up. This rendering it nearly impossible to introduce a virus.

I personally run F-Prot AntiVirus only because I sometimes send copies of mail I have recieved to Window users, I don't use a Firewall as when tested with Shield Up Ubuntu has no open ports. You can try it yourself go to www.grc.com and select Shield Up approx half way down on page.

This announcement is for the ubuntu staff: how about converting this thread into a sticky? I believe this thread would be very helpful for new ubuntu users, as many are interested in security, and basically every security issue in ubuntu is discussed here.
So how about it?

i got a virus on my aegis scanner!!!!!
what's going on?!?!?!?!?

well whatever removed and quarantined my win32 virus
all i've got to say is: WHATEVAS

So...ubuntu forum staff...
how do you feel about making this a sticky in absolute beginner section???

Hi,

As a complete Linux noob I have a question:
How safe are the repositories?

Let me explain, I switched to Linux because I wanted to get reliable and safe. With the root account disabled and only using the gui tools to config my system (not skilled enough to use a terminal!) I thought Ubuntu was the best for me.
But! i get these update notifications and when I allow them to be installed I am opening my system for possible malware. Because what if a hacker has dropped a package in the repository and lets me "update"

Can somebody please assure me that this cannot happen?

Thanks Charles

Because what if a hacker has dropped a package in the repository and lets me "update" Can you explain how a cracker would just "drop" a package in the repository?

Can you explain how a cracker would just "drop" a package in the repository?

The same way a hacker drops packages in Windows Update all the time... or are you telling me there was some other reason I got that malware on Windows? :p

I hope you are not asking me!
I was the noob remember....
So if you say that this is impossble then the repositories are safe?