Page 2 of 7 FirstFirst 1234 ... LastLast
Results 11 to 20 of 63

Thread: The ubuntu is 100% safe promise

  1. #11
    Join Date
    Jun 2012
    Beans
    301

    Re: The ubuntu is 100% safe promise

    Quote Originally Posted by Soul-Sing View Post
    Hi, could we, as a loCo, come with this promise for an out-of-the-box desktop system? Because of:{snip}

    How can we best inform en educate beginners in security related matters?
    Is it just a "relax and enjoy", or is there more to say?

    regards
    S.
    I think this is a Most Excellent question and I'd like to help in any way I can.

    The First Thing I'd add to what we have now would be to put Firefox under AppArmor -- "out of the box" It's simple enough to disable the profile in case of trouble. I noticed that an AppArmor profile for Firefox came with Ubuntu

    the profile came disabled. last night i enabled it and put it in complain mode. just now, checking, I got one error
    Code:
    Reading log entries from /var/log/syslog.
    Updating AppArmor profiles in /etc/apparmor.d.
    
    Profile:  /usr/lib/thunderbird/thunderbird.sh
    Execute:  /bin/which
    Severity: unknown
    
    
    (I)nherit / (P)rofile / (C)hild / (N)ame / (U)nconfined / (X)ix / (D)eny / Abo(r)t / (F)inish
    bill@ACKER4:/etc/apparmor.d$
    I didn't know what to do with this flag so I selected "Finish"; perhaps there will be a comment on this ??

    A Study of hack attacks clearly shows that for the desk-top/client end-point computer, browser attacks are #1. E/mail would be #2 but these would include "phishing" attacks which attempt to persuade the user to make a bad move. This is another topic which requires a study of reputable sources and hopefully PGP Trust Models.

    So: My initial contribution is (1) distribute Ubuntu with Firefox and Thunderbird under AppArmor, and (2) Caution every new user: stick to the stuff in the Ubuntu Software Library

    I think if we do a little more work on Software Recommendations we can improve that last part.

    This is really a very important thread. It has been 10 days now since I moved my Win7 system to the basement and shifted my daily activity to Ubuntu

    So far the 2 programs that I feel I've had to take downgrades on are MusicBee and CDBurnerXP. I'm using Audacious and K3B

    Offering a system that is difficult to hack and has good programs is huge. And I think we're getting there. Dell is already offering systems with Ubuntu installed,-- my brother's business selected that option!
    ~~~~~
    Amendment

    in protecting the browser we should ask: what are we protecting: "droppers" -- which attempt to install some kind of RAT into your O/S (Linux won't allow this ) -- or (2) snooping/exfiltrating sensitive data ? this latter will be a harder question as we must prevent installation of any type of plug-in modification to the browser
    Last edited by mike acker; November 3rd, 2012 at 12:20 AM. Reason: amendment

  2. #12
    Join Date
    Sep 2011
    Beans
    1,531

    Re: The ubuntu is 100% safe promise

    Quote Originally Posted by Soul-Sing View Post
    Hi, could we, as a loCo, come with this promise for an out-of-the-box desktop system? Because of:
    - Ubuntu has SUDO
    - Ubuntu has TRUSTED SOFTWARE SOURCES
    - Ubuntu has no significant listening services: NO OPEN PORTS
    - Malware is written for Windows
    - There are no Linux viruses active in "the wild"

    I am aware of this excellent guide: https://wiki.ubuntu.com/BasicSecurity with his myth and reality way of explaining security. But for an average beginner, it is technical, and deterrent.(imho)
    How can we best inform en educate beginners in security related matters?
    Is it just a "relax and enjoy", or is there more to say?

    regards
    S.
    OMG ARE YOU SERIOUS?!?!?!? You can't be. This has to be trolling.

    You can't call it 100% secure BECAUSE IT'S NOT!!!!!!!!!!!!!!!!

    Proof:
    ubuntuIsVulnerable.jpg
    That is a list of 2,423 vulnerabilities associated with Ubuntu. Not all of them can be exploited, but a vast majority of them can. (If I get any push-back on this point, then I'll give you a screen shot of the oodles of canned exploits for Ubuntu available in Metasploit). You need beginner to moderate skills to use more than 50% of those exploits using open source & easily obtained tools.

    It is intolerably irresponsible to suggest 100% security to anyone with any operating system. Aside from the fact that users notoriously fail to install every security patch as soon as they're available, you cannot know when someone will find & exploit a new vulnerability that no one knew about.

    The whole purpose of the Basic Security Wiki was precisely to address the question you ask. What's appropriate security for each individual user can only be determined by that user when they've understood some basic principles.

    There is no short cut to security.
    There is no short cut to security.
    There is no short cut to security.
    Last edited by Ms. Daisy; November 3rd, 2012 at 01:38 AM.

  3. #13
    Join Date
    Sep 2011
    Beans
    1,531

    Re: The ubuntu is 100% safe promise

    Quote Originally Posted by OpSecShellshock View Post
    I would feel pretty comfortable saying that the risk of getting malware is considerably lower even without taking any additional steps aside from installing Ubuntu as the OS. Since a lot of people think of a lower malware risk as security, it would probably be good enough for them, and they wouldn't have to know anything more technical than that if they didn't want to.

    The risk of everything other than malware is probably about the same as other modern operating systems, but everything other than malware combined is still tiny compared to malware as far as problems an average user is likely to encounter on the web.

    So yeah that doesn't have quite as much punch as saying 100% secure, but it's the best I can do.
    Well said.
    Many exploits happen through the browser, which has nothing to do with the operating system. It's an important point, but many many non-technical users won't understand the differentiation. It all gets lumped into one category.

  4. #14
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: The ubuntu is 100% safe promise

    Quote Originally Posted by Ms. Daisy View Post
    There is no short cut to security.
    There is no short cut to security.
    There is no short cut to security.
    +1. Security is a process not a product. Even though *nix is supposedly more secure than Windows, most of the stuff I have run into have been targeting the browser, not the OS.

    NoScript is awesome to have, as it stops most of these before they can run. AppArmor for confining firefox and the like helps prevent the damage it can do should something malicious be executed.

    The only one to be 100% secure is to be disconnected from the internet and buried in a block of cement at the bottom of the ocean (and you still have to worry about those wifi eels...)
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

  5. #15
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: The ubuntu is 100% safe promise

    After 6/7 years of giving support on a forum and on IRC, we have never seen a person being "surprised" by malware, or an other severe security issue. I must say, admit even, our focus isn't very much security related matters, although we a rather up-to-date wiki. But we very rarely deal with security related questions.
    I also have the impression that most cases here, on this forum: "i am being under attack?" etc, etc, in the most cases are false positives. (rkhunter alarms about rootkits.)
    Second, no I am not trolling, as a person I am huge fun of the myth-reality approach of the security wiki. I uses ufw with inbound and outbound rules, apparmor, etc. My personal focus lays very much on security related matters.
    This is the core question:

    How can we best inform en educate beginners in security related matters?
    Is it just a "relax and enjoy", or is there more to say?


    thx
    Last edited by Soul-Sing; November 5th, 2012 at 05:14 PM.

  6. #16
    Join Date
    Feb 2011
    Location
    Somewhere...
    Beans
    1,543
    Distro
    Ubuntu 13.10 Saucy Salamander

    Re: The ubuntu is 100% safe promise

    We can't give our users a false sense of security, because it's only a matter of time before Ubuntu gets more attention and, gets exploited. When Microsoft released Windows 98 (or 95), they made a solid statement that Windows 98 can't be breached. I take that you know the rest of the story.

    The most important aspect in computer security is the users, and if we make the users think they don't need to secure themselves, then they're doomed. We need to tell the average users to "stay safe, don't do anything shady, etc. etc. and you'll be able to take advantage of Ubuntu's security features".
    Last edited by zombifier25; November 3rd, 2012 at 08:16 AM.

  7. #17
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: The ubuntu is 100% safe promise

    The most important aspect in computer security is the users, and if we make the users think they don't need to secure themselves, then they're doomed
    This.

    But on the other hand, if "we" give them the tools/security tools, and they don't know how to use them, or how to read the outcome. There is a lot of fear is this subforum. Do read all the items about the outcome of rkhunter, chkrootkit files and warnings. There is also a lot of doubt is this subforums among users, and in recommendations: "plaese format you never know who/or whats in your system". And most of all a lot of uncertainty how to interpret te results of security tools.

    Is there a way how to learn users how to interpret results of all this security tools? Do we know how to interpret all the results of security tools presented here by users? What is fear, and what are facts.

    thx
    Last edited by Soul-Sing; November 3rd, 2012 at 04:44 PM.

  8. #18
    Join Date
    Jun 2012
    Beans
    301

    Re: The ubuntu is 100% safe promise

    Quote Originally Posted by Ms. Daisy View Post
    Well said.
    Many exploits happen through the browser, which has nothing to do with the operating system. It's an important point, but many many non-technical users won't understand the differentiation. It all gets lumped into one category.
    The browser is probably the #1 attack vector. It is interesting to note that compromising the browser may be sufficient for the attacker's purpose. He may wish to exfiltrate information from your system particularly banking credentials

    The browser should consist of several parts:

    • the binary executable code
    • plug-ins
    • working set data for each current active tab

    the binary code should be obtained from the root library and should be running in "userland" -- thus not real easy to tamper with


    the plug-ins though -- the browser picks those up under each user-id. but you don't need SUDO to add a plug-in to your browser... which could mean a rogue script could add one silently


    the browser should act somewhat like a vm supervisor executing each open tab as a separate problem program. if this is done properly it will be difficult for a script running in one tab to exfiltrate data from another tab: each tab should have its own memory protection structure (I think each tab has to run as a separate process in your system to make this happen)


    thinking about this it occurred to me the AppArmor profile is probably a good idea. I have the one written by Jamie Strandboge that came with the system running in complain mode now. I didn't get any errors from it this morning but I'll run it again after I finish all my morning site visits.
    ~~~

    the #2 attack vector is probably "phishing" : conning the user into installing a bad program

    for this latter we all need to further our understanding of PGP Trust Models. I am not satisfied that the current method -- your browser supplies a list of x.509 certificates -- is adequate or proper.

    the missing part is that, at a minimum, I need to generate a PGP Keypair and then sign (e.g.). Verisign's certificate. once that's done, items signed and counter signed by Verisign will get the green light on my system; anything countersigned by some other CA will list as "untrusted". which is the right way for this to be done.

  9. #19
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: The ubuntu is 100% safe promise

    A big part of the reason that there's so much fear is that risk analysis is boring but someone else taking control of your system without you knowing is scary and exciting.

    Tools like chkrootkit and rkhunter are completely useless to anyone who doesn't already know what's supposed to be there in the first place. Tools like tcpdump and wireshark are useless to anyone who doesn't know how to make sense of a packet capture. A user who is afraid something bad has happened on their system won't be reassured by the output of a tool they don't understand.

    Also, there seems to be disproportionate fear of things like rootkits and keyloggers, which are bad, sure, and are possible, sure, but are also not necessary for getting at the most valuable (in terms of being able to sell it) data from people. Most data breaches are completely outside the control of the people whose data gets breached. Most malware is installed by people who get paid tiny commissions for every installation, which creates the incentive to target Windows and occasionally OSX. Most exploits and compromises of Linux systems are written, tested, and used by security enthusiasts to demonstrate that it can be done and to find ways to prevent it or create incentives to patch.

    Anyway, getting more into the theory stuff. Basically I think it's more constructive to discuss the outcomes users are concerned about rather than the specific mechanisms.

  10. #20
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: The ubuntu is 100% safe promise

    Anyway, getting more into the theory stuff. Basically I think it's more constructive to discuss the outcomes users are concerned about rather than the specific mechanisms.
    So show the facts (the outcome/logs/etc.) and not only the fears. I was looking into that direction too.
    We can easily feed fear, and become very technical about security. But "we" can help analyze outcomes/logs/the facts, etc.

    I am into skipping the rkhunter/chkrootkit software on my system. Are you able to read the outcome? Has it ever shows a positive on this security subforum? I have never seen a positive on our forum. The outcome of "rootkithunters" is often that obscure, we can only support the outcome with a:"try google".
    Last edited by Soul-Sing; November 3rd, 2012 at 04:43 PM.

Page 2 of 7 FirstFirst 1234 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •