Ubuntu/Linux/Windows and Viruses/Malware

[poofyhairguy]

Even if you did get some sort of permissions set up in windows, it would be too painful to install software since there is no "su".

Or for us:

gksudo

[Takis]

That demonstrates the point that OSS is secure by default.

Would you say it's secure more because it's open source, or because it's good design? While open source is definitely a bonus, I think that good design is by far the bigger factor.

[CoriolisSTORM]

The deal with windows is that we have a select group of people that look at and design the code. The plus of OSS is that we have many more people that look at and design the code which makes it less likely for vulnerabilities and exploits and the like to slip by. Since most spyware uses ActiveX, and as far as I know Linux does not use that, we are for the most part safe. I've also heard its harder to write viri for Linux than windows. Anyone know anything about that?

[sonny]

The "not run as administrator all the time" is the safest thing about Ubuntu. I know Windows technically can do it...but many programs break if you are not an admin (programs that shouldn't need admin access).

How hard could it be for a virus to gain SU privileges in Linux?, cuz I mean is just a password, there are thousands of password breaking tools out there, so I suppose the real question would be, how secure is your admin password in Linux, more specific in Ubuntu cuz there's a lot of questions about using sudo instead of su?

[weekend warrior]

My password is 18 characters long with capitals and numbers in the middle of the word spelt backwards in an ancient non Indo-European language older than Latin. Think I'm safe?

If your password is "go" "pass" "login", something stupid like that or a dictionary word then that's your own fault!

[shakin]

Things no one usually mentions are Java and Firefox. As Firefox usage increases, malware writers will target cross-browser and cross-platform exploits.

Java is a huge factor since a JVM priviledge escalation exploit will nail both IE and Firefox users. It would be extremely trivial to have that malware work on Linux if the programmer(s) chooses to do so, assuming the JVM exploit also works on Linux. Different JVM implementations will make a difference, but most people use Sun's.

The Firefox team also has to be very wary of its extensions interface as I could easily see adware and spyware coming packaged as an extension. If they find a bug in the extensions manager they may even be able to hide its existence. It may come packaged with a toolbar. You never know.

All things considered, I would recommend disabling Java support in Firefox unless it's something you regularly need (which it isn't for most people). Javascript will still work, just disable Java.

[sonny]

My password is 18 characters long with capitals and numbers in the middle of the word spelt backwards in an ancient non Indo-European language older than Latin. Think I'm safe?

If your password is "go" "pass" "login", something stupid like that or a dictionary word then that's your own fault!

Well that only gets them to try harder, but the question is about some who is trying to still your password (perhaps a cracker) to get into your files or database, is it harder than in windows, or is it impossible to get the password in a Linux machine? Cuz I don't know what securities and locks have the password storage-file, it has to be somewere, how hard could it be to break it?

[weekend warrior]

"Well that only gets them to try harder"

LOL! Who exactly are we talking about here, the Clan of Desperate Hermit Crackers? Do you have any idea how long a brute force attack would take on something like that? They must have no social life and really really want all my TOP SECRET data!

[aysiu]

All things considered, I would recommend disabling Java support in Firefox unless it's something you regularly need (which it isn't for most people). Javascript will still work, just disable Java.

I've done this and have never encountered any problems. Can people give me examples of when you do need Java? I haven't yet found a need for it in my internet surfing.

[Kvark]

Regarding passwords. No system/program/website/whatever with decent security in mind would ever store a password. A hash (also called checksum) of the password is stored instead.

You have probably heard of or even used checksums. If the checksum of what you downloaded and the checksum of what the developer published matches then you know the download has not been altered on the way. In the same way, if the hash (or checksum) of what you entered, and the hash (or checksum) in the password setting matches then the system knows you entered the right password.

So there is no stored passwords to steal.

Still. All the security in the world won't help if your password is a real word or anything else that is logical to use as password. A program can try whole dictionaries of all real words and all things known to have been used as passwords before.

I think (not sure though) there is a 1 secound delay after each failed login in linux which means the program can try only 3600 passwords per hour, but stealing the password hashes would allow the program to try passwords against the hashes without the delay.

Still, if your password is something that is not in any dictionary or database over known passwords then you are safe until you accedently give it away. Perhaps by using the same pass on a low security online game that does store passwords and gets hacked. Or by entering it in a fake login prompt. Or by logging in from a school computer that another student put a logger on. Or..... Well there is a lot of ways to reveal it.




Personally I never use the same pass in more then one place. All my passwords are L33t-$pE@k of one or two misspelled swedish words with a 3-4 digit random number thrown in, which is semi safe while still possible to remember.