The ubuntu is 100% safe promise

[mike acker]

Hi, could we, as a loCo, come with this promise for an out-of-the-box desktop system? Because of:{snip}

How can we best inform en educate beginners in security related matters?
Is it just a "relax and enjoy", or is there more to say?

regards
S.

I think this is a Most Excellent question and I'd like to help in any way I can.

The First Thing I'd add to what we have now would be to put Firefox under AppArmor -- "out of the box" It's simple enough to disable the profile in case of trouble. I noticed that an AppArmor profile for Firefox came with Ubuntu

the profile came disabled. last night i enabled it and put it in complain mode. just now, checking, I got one error

Code:

Reading log entries from /var/log/syslog.
Updating AppArmor profiles in /etc/apparmor.d.

Profile:  /usr/lib/thunderbird/thunderbird.sh
Execute:  /bin/which
Severity: unknown


(I)nherit / (P)rofile / (C)hild / (N)ame / (U)nconfined / (X)ix / (D)eny / Abo(r)t / (F)inish
bill@ACKER4:/etc/apparmor.d$

I didn't know what to do with this flag so I selected "Finish"; perhaps there will be a comment on this ??

A Study of hack attacks clearly shows that for the desk-top/client end-point computer, browser attacks are #1. E/mail would be #2 but these would include "phishing" attacks which attempt to persuade the user to make a bad move. This is another topic which requires a study of reputable sources and hopefully PGP Trust Models.

So: My initial contribution is (1) distribute Ubuntu with Firefox and Thunderbird under AppArmor, and (2) Caution every new user: stick to the stuff in the Ubuntu Software Library

I think if we do a little more work on Software Recommendations we can improve that last part.

This is really a very important thread. It has been 10 days now since I moved my Win7 system to the basement and shifted my daily activity to Ubuntu

So far the 2 programs that I feel I've had to take downgrades on are MusicBee and CDBurnerXP. I'm using Audacious and K3B

Offering a system that is difficult to hack and has good programs is huge. And I think we're getting there. Dell is already offering systems with Ubuntu installed,-- my brother's business selected that option!
~~~~~
Amendment

in protecting the browser we should ask: what are we protecting: "droppers" -- which attempt to install some kind of RAT into your O/S (Linux won't allow this ) -- or (2) snooping/exfiltrating sensitive data ? this latter will be a harder question as we must prevent installation of any type of plug-in modification to the browser

[Ms. Daisy]

Hi, could we, as a loCo, come with this promise for an out-of-the-box desktop system? Because of:
- Ubuntu has SUDO
- Ubuntu has TRUSTED SOFTWARE SOURCES
- Ubuntu has no significant listening services: NO OPEN PORTS
- Malware is written for Windows
- There are no Linux viruses active in "the wild"

I am aware of this excellent guide: https://wiki.ubuntu.com/BasicSecurity with his myth and reality way of explaining security. But for an average beginner, it is technical, and deterrent.(imho)
How can we best inform en educate beginners in security related matters?
Is it just a "relax and enjoy", or is there more to say?

regards
S.

OMG ARE YOU SERIOUS?!?!?!? You can't be. This has to be trolling.

You can't call it 100% secure BECAUSE IT'S NOT!!!!!!!!!!!!!!!!

Proof:
ubuntuIsVulnerable.jpg
That is a list of 2,423 vulnerabilities associated with Ubuntu. Not all of them can be exploited, but a vast majority of them can. (If I get any push-back on this point, then I'll give you a screen shot of the oodles of canned exploits for Ubuntu available in Metasploit). You need beginner to moderate skills to use more than 50% of those exploits using open source & easily obtained tools.

It is intolerably irresponsible to suggest 100% security to anyone with any operating system. Aside from the fact that users notoriously fail to install every security patch as soon as they're available, you cannot know when someone will find & exploit a new vulnerability that no one knew about.

The whole purpose of the Basic Security Wiki was precisely to address the question you ask. What's appropriate security for each individual user can only be determined by that user when they've understood some basic principles.

There is no short cut to security.
There is no short cut to security.
There is no short cut to security.

[Ms. Daisy]

I would feel pretty comfortable saying that the risk of getting malware is considerably lower even without taking any additional steps aside from installing Ubuntu as the OS. Since a lot of people think of a lower malware risk as security, it would probably be good enough for them, and they wouldn't have to know anything more technical than that if they didn't want to.

The risk of everything other than malware is probably about the same as other modern operating systems, but everything other than malware combined is still tiny compared to malware as far as problems an average user is likely to encounter on the web.

So yeah that doesn't have quite as much punch as saying 100% secure, but it's the best I can do.

Well said.
Many exploits happen through the browser, which has nothing to do with the operating system. It's an important point, but many many non-technical users won't understand the differentiation. It all gets lumped into one category.

[CharlesA]

There is no short cut to security.
There is no short cut to security.
There is no short cut to security.

+1. Security is a process not a product. Even though *nix is supposedly more secure than Windows, most of the stuff I have run into have been targeting the browser, not the OS.

NoScript is awesome to have, as it stops most of these before they can run. AppArmor for confining firefox and the like helps prevent the damage it can do should something malicious be executed.

The only one to be 100% secure is to be disconnected from the internet and buried in a block of cement at the bottom of the ocean (and you still have to worry about those wifi eels...)

[Soul-Sing]

After 6/7 years of giving support on a forum and on IRC, we have never seen a person being "surprised" by malware, or an other severe security issue. I must say, admit even, our focus isn't very much security related matters, although we a rather up-to-date wiki. But we very rarely deal with security related questions.
I also have the impression that most cases here, on this forum: "i am being under attack?" etc, etc, in the most cases are false positives. (rkhunter alarms about rootkits.)
Second, no I am not trolling, as a person I am huge fun of the myth-reality approach of the security wiki. I uses ufw with inbound and outbound rules, apparmor, etc. My personal focus lays very much on security related matters.
This is the core question:

How can we best inform en educate beginners in security related matters?
Is it just a "relax and enjoy", or is there more to say?

thx

[zombifier25]

We can't give our users a false sense of security, because it's only a matter of time before Ubuntu gets more attention and, gets exploited. When Microsoft released Windows 98 (or 95), they made a solid statement that Windows 98 can't be breached. I take that you know the rest of the story.

The most important aspect in computer security is the users, and if we make the users think they don't need to secure themselves, then they're doomed. We need to tell the average users to "stay safe, don't do anything shady, etc. etc. and you'll be able to take advantage of Ubuntu's security features".

[Soul-Sing]

The most important aspect in computer security is the users, and if we make the users think they don't need to secure themselves, then they're doomed

This.

But on the other hand, if "we" give them the tools/security tools, and they don't know how to use them, or how to read the outcome. There is a lot of fear is this subforum. Do read all the items about the outcome of rkhunter, chkrootkit files and warnings. There is also a lot of doubt is this subforums among users, and in recommendations: "plaese format you never know who/or whats in your system". And most of all a lot of uncertainty how to interpret te results of security tools.

Is there a way how to learn users how to interpret results of all this security tools? Do we know how to interpret all the results of security tools presented here by users? What is fear, and what are facts.

thx

[mike acker]

Well said.
Many exploits happen through the browser, which has nothing to do with the operating system. It's an important point, but many many non-technical users won't understand the differentiation. It all gets lumped into one category.

The browser is probably the #1 attack vector. It is interesting to note that compromising the browser may be sufficient for the attacker's purpose. He may wish to exfiltrate information from your system particularly banking credentials

The browser should consist of several parts:

• the binary executable code
• plug-ins
• working set data for each current active tab

the binary code should be obtained from the root library and should be running in "userland" -- thus not real easy to tamper with


the plug-ins though -- the browser picks those up under each user-id. but you don't need SUDO to add a plug-in to your browser... which could mean a rogue script could add one silently


the browser should act somewhat like a vm supervisor executing each open tab as a separate problem program. if this is done properly it will be difficult for a script running in one tab to exfiltrate data from another tab: each tab should have its own memory protection structure (I think each tab has to run as a separate process in your system to make this happen)


thinking about this it occurred to me the AppArmor profile is probably a good idea. I have the one written by Jamie Strandboge that came with the system running in complain mode now. I didn't get any errors from it this morning but I'll run it again after I finish all my morning site visits.
~~~

the #2 attack vector is probably "phishing" : conning the user into installing a bad program

for this latter we all need to further our understanding of PGP Trust Models. I am not satisfied that the current method -- your browser supplies a list of x.509 certificates -- is adequate or proper.

the missing part is that, at a minimum, I need to generate a PGP Keypair and then sign (e.g.). Verisign's certificate. once that's done, items signed and counter signed by Verisign will get the green light on my system; anything countersigned by some other CA will list as "untrusted". which is the right way for this to be done.

[OpSecShellshock]

A big part of the reason that there's so much fear is that risk analysis is boring but someone else taking control of your system without you knowing is scary and exciting.

Tools like chkrootkit and rkhunter are completely useless to anyone who doesn't already know what's supposed to be there in the first place. Tools like tcpdump and wireshark are useless to anyone who doesn't know how to make sense of a packet capture. A user who is afraid something bad has happened on their system won't be reassured by the output of a tool they don't understand.

Also, there seems to be disproportionate fear of things like rootkits and keyloggers, which are bad, sure, and are possible, sure, but are also not necessary for getting at the most valuable (in terms of being able to sell it) data from people. Most data breaches are completely outside the control of the people whose data gets breached. Most malware is installed by people who get paid tiny commissions for every installation, which creates the incentive to target Windows and occasionally OSX. Most exploits and compromises of Linux systems are written, tested, and used by security enthusiasts to demonstrate that it can be done and to find ways to prevent it or create incentives to patch.

Anyway, getting more into the theory stuff. Basically I think it's more constructive to discuss the outcomes users are concerned about rather than the specific mechanisms.

[Soul-Sing]

Anyway, getting more into the theory stuff. Basically I think it's more constructive to discuss the outcomes users are concerned about rather than the specific mechanisms.

So show the facts (the outcome/logs/etc.) and not only the fears. I was looking into that direction too.
We can easily feed fear, and become very technical about security. But "we" can help analyze outcomes/logs/the facts, etc.

I am into skipping the rkhunter/chkrootkit software on my system. Are you able to read the outcome? Has it ever shows a positive on this security subforum? I have never seen a positive on our forum. The outcome of "rootkithunters" is often that obscure, we can only support the outcome with a:"try google".