The ubuntu is 100% safe promise

[Ms. Daisy]

Sure, Ubuntu boxes have been owned. We've seen evidence of that on this forum. They're usually poorly configured servers though, I haven't personally seen any desktops without services getting owned on this forum.

Tools like chkrootkit and rkhunter are completely useless to anyone who doesn't already know what's supposed to be there in the first place. Tools like tcpdump and wireshark are useless to anyone who doesn't know how to make sense of a packet capture. A user who is afraid something bad has happened on their system won't be reassured by the output of a tool they don't understand.

+10,000

Again, the whole purpose of the Basic Security Wiki was to address these precise points that the OP raised. 1. How can we give the average user a sense of security without getting too technical? 2. How can an average user set up a reasonably secure Ubuntu box? 3. Can we introduce slightly more complex ideas to the new user? 4. Can we give the average user some guidance in reading logs when they think they've been owned?

The major problem we encountered when creating those documents is that security IS technical. It cannot be distilled into easy-to-digest sound bytes for non-technical users. If we are going to be really, truly honest, the fact is you need to understand a threat before you can say you're properly defending against it. So an uneducated user can never say they're 100% secure.

For us to say "relax and enjoy" to me says "don't worry about anything, click on anything, don't bother with updates." And that's patently untrue. Unfortunately at this point in time, the user bears some of the responsibility in remaining secure. Perhaps one day the industry will improve and be able to secure non-technical users in spite of themselves. But for now it just doesn't work that way.

[mike acker]

{snip}Basically I think it's more constructive to discuss the outcomes users are concerned about rather than the specific mechanisms.

I think everyone has a right to be able to compute without a hacker adjusting their activity.

This is going to start with UEFI, which I think is a wonderful idea. I should have bought a UEFI motherboard but I thought those were for Windows only. Looks like starting 12.10 we will be able to use UEFI also.

[CharlesA]

Sure, Ubuntu boxes have been owned. We've seen evidence of that on this forum. They're usually poorly configured servers though, I haven't personally seen any desktops without services getting owned on this forum.

I've seen a few desktop boxes owned due to VNC, but nothing lately.

As for the rest of your post +1. I know we had a lot of help from some security professionals when working on that wiki page and it really shows.

It all goes back to security being a process not a product.

[Soul-Sing]

I know we had a lot of help from some security professionals when working on that wiki page and it really shows

And I'am very very grateful for their contributions. In content and the way of explaining stuff. Again grateful for that.
And indeed security, getting involved into security, is a proces and not an product. Bodhi, Dangertux and many others, they did guide many members in the possibilities of securing Ubuntu in a great way. But, as I know from my own experience, the learning curve becomes soon very steep. Although there is a difference between being silly and well informed.
At that moment in time many members loss the interest in the proces of securing computers, imho. When "security" becomes a never ending, tiresome, ratrace against the "bad" outside world. Tolerance of risk, as said in the security wiki is a true phrase.
But in my experience, at that moment, the makers of great guides, the makers of great howto's, doesn't bring the goodness to many members. Members get tired. (of it)
I would like to thank everyone for the input. Any other input into the discussion is always welcome.
I hope that my input is somewhat understood. The balance between fear and facts for instance. I don´t want security to be in the fear, panic corner, but in the corner of cool and collected thinking, as written in the security wiki.

thx for now

[OpSecShellshock]

So show the facts (the outcome/logs/etc.) and not only the fears. I was looking into that direction too.
We can easily feed fear, and become very technical about security. But "we" can help analyze outcomes/logs/the facts, etc.

I am into skipping the rkhunter/chkrootkit software on my system. Are you able to read the outcome? Has it ever shows a positive on this security subforum? I have never seen a positive on our forum. The outcome of "rootkithunters" is often that obscure, we can only support the outcome with a:"try google".

I don't use any rootkit detection, anti-malware, or file integrity monitoring software on my computers. It's too high maintenance. In order to get any use out of them you need to run them once on a system when it's first built to establish a baseline, then again after every intentional system configuration change and software update. Who is realistically going to do that on their home systems? I am a security professional and I think it's tedious and useless.

On this forum I only recall one time that I saw an indication that someone's system was owned that was not a either a server or running VNC or poorly secured SSH, and that was someone who installed a desktop theme they got off a website and happened to contain some extra stuff.

[CharlesA]

I don't use any rootkit detection, anti-malware, or file integrity monitoring software on my computers. It's too high maintenance. In order to get any use out of them you need to run them once on a system when it's first built to establish a baseline, then again after every intentional system configuration change and software update. Who is realistically going to do that on their home systems? I am a security professional and I think it's tedious and useless.

Likewise. I don't even bother running rkhunter or whatever on my home server because I know it is locked down and only accessible remotely from a couple IP addresses, but I still check logs off and on to be sure.

On this forum I only recall one time that I saw an indication that someone's system was owned that was not a either a server or running VNC or poorly secured SSH, and that was someone who installed a desktop theme they got off a website and happened to contain some extra stuff.

Same here. I think the majority of cracked boxes were either poorly security SSH or having a VNC server open to the internet (with no password). The other ones could be considered trojans because something was downloaded and excecuted under the guise of a desktop theme for example (gnomelook or some such thing, a while back).

[OpSecShellshock]

And I'am very very grateful for their contributions. In content and the way of explaining stuff. Again grateful for that.
And indeed security, getting involved into security, is a proces and not an product. Bodhi, Dangertux and many others, they did guide many members in the possibilities of securing Ubuntu in a great way. But, as I know from my own experience, the learning curve becomes soon very steep. Although there is a difference between being silly and well informed.
At that moment in time many members loss the interest in the proces of securing computers, imho. When "security" becomes a never ending, tiresome, ratrace against the "bad" outside world. Tolerance of risk, as said in the security wiki is a true phrase.
But in my experience, at that moment, the makers of great guides, the makers of great howto's, doesn't bring the goodness to many members. Members get tired. (of it)
I would like to thank everyone for the input. Any other input into the discussion is always welcome.
I hope that my input is somewhat understood. The balance between fear and facts for instance. I don´t want security to be in the fear, panic corner, but in the corner of cool and collected thinking, as written in the security wiki.

thx for now

There's a reason why keeping backups was one of the first things we came up with when working on the security wiki. Being able to do a quick recovery in the event something bad happens is far easier than trying to head off everything that could possibly go wrong (which will always fail because it's constantly changing).

[KaosuX]

Hi, could we, as a loCo, come with this promise for an out-of-the-box desktop system? Because of:
- Ubuntu has SUDO
- Ubuntu has TRUSTED SOFTWARE SOURCES
- Ubuntu has no significant listening services: NO OPEN PORTS
- Malware is written for Windows
- There are no Linux viruses active in "the wild"

I am aware of this excellent guide: https://wiki.ubuntu.com/BasicSecurity with his myth and reality way of explaining security. But for an average beginner, it is technical, and deterrent.(imho)
How can we best inform en educate beginners in security related matters?
Is it just a "relax and enjoy", or is there more to say?

regards
S.

A 100% guarantee is not practical, possible or even remotely plausible. Once the developers/maintainers of Ubuntu begin touting off a "you're safe, we promise!" philosophy then that is the first step to their demise. I can appreciate your sentiment, but you just have to understand that it isn't realistic.

To be extremely truthful, Ubuntu is not as secure as you think with a default installation. The default installation is suitable for most real-world desktop machines and you likely won't run into too many issues, but it is not configured around any sort of real security policy, outside of some very basic security principals.

I do understand how easy it is to simply look on the surface of a problem like this and have a feeling of being safe in comparison to other platforms or distributions out there. However, don't fall victim to complacency. Too many people think that if the machine has no Internet-facing services enabled then they are safe, and that is simply not the case. As previously stated by another poster, the recent Java vulnerabilities are a perfect example of this.

Since a large part of my day is reverse engineering user-land applications, components of various operating systems and some pieces of hardware for the sole purpose of finding and patching security vulnerabilities, I tend to see the overwhelming amount of zero-day's (Read as: unpatched vulnerability) that are actively being exploited by all kinds of nefarious people.

Again, while the default Ubuntu installation is fine for most people, it isn't all that secure in nature. I am glad that it follows a few basic security principals that do make average users much safer. However, no operating system or piece of software can ever offer a 100% guarantee when it comes to security.

Your other argument is that even the Wiki is too technical for the average user. Well, sometimes two things just don't mix well together. Security (practical or theoretical) just isn't a topic an average user should delve into without expecting some learning curve on their part. When knowledge is your greatest weapon, you can't expect to intentionally disarm yourself and still achieve such a high margin of security.

The bold text is the exact reason why security is a process and not a state that can truly be achieved. Things change almost daily and the only defense you can truly rely on is your knowledge. Even then, your knowledge is not infinite and will always be limited to some degree. Therefore, 100% security is not achievable within the scope of the original poster's argument.

Ubuntu has SUDO

Sudo has had many security-related problems in the past and should not be seen as a fool-proof measure. Here is a link that illustrates a good amount of security-related issues with Sudo. Most of them in the form of Ubuntu Security Bulletins:

http://packetstormsecurity.org/searc...sudo%20exploit

Ubuntu has TRUSTED SOFTWARE SOURCES

All software repositories fall victim to the same underlying problem: They cannot verify every last bit of code that is eventually submitted and then pushed through these official repositories. Most will operate under a "safe enough" assumption.

Don't get me wrong, this is fine and acceptable. However, it would not be impossible for a malicious payload to be hidden within a large project.

Ubuntu has no significant listening services: NO OPEN PORTS

This is not the only attack vector. Also, if an average user felt that they were guaranteed 100% security, they become more likely to start up services themselves instead of being cautious about it.

Malware is written for Windows

I am sorry, but this is just flat-out misinformation. While it may not be as rampant, and you might not be as vulnerable as you would be on Microsoft Windows, it is still just wrong to think that "malicious software is written for Windows"

There are no Linux viruses active in "the wild"

That depends on your definition of "in the wild". As previously stated, malware is still a threat in the *nix world, it is just a slightly different kind of threat.

When using Microsoft Windows, malware is usually the cause of a breach. When using *nix, malware is usually the product of a breach.

[mike acker]

{snip} Security (practical or theoretical) just isn't a topic an average user should delve into without expecting some learning curve on their part. When knowledge is your greatest weapon, you can't expect to intentionally disarm yourself and still achieve such a high margin of security.{snip}

I have been fascinated learning the process of security in Ubuntu/Linux

This Report -- although a little dated really piqued my interest and resulted in my creating my first U-box out of an old Dell the kids had left me,-- and now -- building my own ASUS based system

so that is some background

Today I find it interesting to reflect on the question: what should be "in the box" ? Security wise.

I'm running the AppArmor profile written by Jamie Strandboge in fail mode now and it seems to be fine. I wish I knew more about this profile. The thing that worries me most about a browser is un-authorized updates to the browser plug-ins. On windows every other day we got hit with another bonk-bar of some type. Hopefully the AppArmor means no updating the browser

MSFT has attempted to address this same question in Win8,-- adding UEFI and their updated Windows Defender. and more ASLR, DEP. ASLR/DEP is no substitute for running re-entrant code on exec only memory though...

nonetheless it's relevant as "what's in the box" seems to be a current question

I like the notes in our sticky re A/V, Firewalls, and AppArmor and am trying to learn to use AppArmor

UEFI is also very interesting. I'll be looking for more news from the 12.10 release relevant to this. Hopefully the ASUS motherboards will provide a keyring with Canonical as well as MSFT public keys.

[chadk5utc]

interesting bit of reading on UEFI
http://www.zdnet.com/blog/open-sourc...d-fedora/11187
http://www.zdnet.com/blog/open-sourc...-and-free/9827