Why an Ubuntu desktop is just as insecure as a Windows desktop

[fuduntu]

No I am not: sudo is Ubuntu's securityMillions of windows users and flawed services. Mail is inherited flawed that opened up spam.
SPAM could effictively be removed from the world by a few simple additions to the mail relay system.

Zero Linux users though (even windows users comming to Ubuntu know downloading software from the web and executing it is a NO-NO )

-

Ubuntu IS more secure than windows. Windows uses admin as a user. Ubuntu does not. Hence it IS more secure.
Ubuntu IS more secure than Fedora: Fedora uses root as admin.

Ubuntu is more secure since you need both the user account that is sudo and that password. And you will not be able to get the password without that users consent! (be it from asking it or be it from executing a script (basically that's the same thing)).
And as long as you require someone to download and execute something all you breach is 1 system. Not an OS!

Thing is... it is not the OS's responsebility to guard -me- from -my- mistakes. If I let you know my sudo password I made that mistake. Not the OS.

Ubuntu is less secure than Fedora, in that Ubuntu caches the sudo credential for a period of time allowing it to be reused. Fedora requires the root user be authenticated every single time, which is more secure.

Windows does not require users to run as "Admin", and hasn't since XP (which for all intents and purposes is a dead OS).

[fuduntu]

Flash may read data that is in your browser, how would you get it to run a bash command. Also, even if you get flash to download a file, it still needs the "+x" flag in order to run (and setting this is beyond unsavvy people's skill level).

Flash is proprietary, most of the issues with Windows security come from Windows being closed. Yes, if Linux becomes closed, it will become insecure.

overflow overflow overflow execute this blob

[Rinzwind]

Ubuntu is less secure than Fedora, in that Ubuntu caches the sudo credential for a period of time allowing it to be reused. Fedora requires the root user be authenticated every single time, which is more secure.

Windows does not require users to run as "Admin", and hasn't since XP (which for all intents and purposes is a dead OS).

No Fedora is less secure when it comes to remote access. I should have added that in my 1st post about that. Sorry!

We all know Fedora uses root as admin account so all we need is the password after we end up on the login prompt.
We all do NOT know what Ubuntu uses as sudo account so you need both username and password when you get to the login prompt.
In this respect Ubuntu's way is more secure.

The caching of the sudo password is not a problem cuz if you can access that you do not need the sudo password anymore

===

What TS poses is flawed: I say that if a user needs to input a password for someone else to gain access to that system the flaw is not with the OS but with the user.

Ubuntu is NOT flawed. Btw! Fedora is not flawed too. Just not my OS

[RiceMonster]

Ubuntu IS more secure than windows. Windows uses admin as a user. Ubuntu does not. Hence it IS more secure.
Ubuntu IS more secure than Fedora: Fedora uses root as admin.

Wrong on all parts.

Windows does not have to be run as admin. I run Windows 7 as a limited user, and it behaves the same way a Linux distro would.

Sudo is also used to provide root access for specific commands. In Ubuntu's case, it provides full root access via sudo. Sudo's actual purpose is the provide root access for specific things to lock down your system. On Ubuntu, you can even log in as root easily via any of the following:

Code:

sudo su
sudo bash
sudo sh

The list will include any other shells installed on your system. Blocking those commands in /etc/sudoers does not work to prevent them, because you also need to block any command that can copy data. For example, if I block sudo su, I can get around it by doing:

Code:

sudo cp /sbin/su /sbin/haxors
sudo haxors

Up to you whether you are ok with that, but the point is, full access via sudo is really not any more secure than using root. It's a matter of asking whether you want to administrate from the same, or a different id. Your argument is based on security through obscurity, which is a poor method of security.

Ubuntu is more secure since you need both the user account that is sudo and that password. And you will not be able to get the password without that users consent!

Same thing for root.

[fuduntu]

A program needs root access to try and attack another machine (usually). There are ways to protect your personal data (use encryption and keep your browser history clean for a start), but if you are specifically targeted by a hacker, this is getting hard.

The problem with Windows is that there are "automated" attacks that succeed so often and affect so many people.

This isn't correct, a program does not need root access to initiate outbound connections (required to attack another machine). In fact, it doesn't even need root access to create listening sockets. If you have a firewall though, root access would be needed to alter it to allow the connections to be made though.

[RiceMonster]

No Fedora is less secure when it comes to remote access. I should have added that in my 1st post about that. Sorry!

We all know Fedora uses root as admin account so all we need is the password after we end up on the login prompt.
We all do NOT know what Ubuntu uses as sudo account so you need both username and password when you get to the login prompt.
In this respect Ubuntu's way is more secure.

OpenSSH contains an option to disable remote root login. Just enable that, login from a different ID, and then type su. Problem solved. Do some research before you make an argument against something.

[mikewhatever]

OK, let's assume for a moment that you did write a proof of concept or whatever you say, and...?
What's the idea of posting here in the Cafee?

The Community Chat area is for lighthearted and enjoyable discussions, like you might find around a water cooler at work.

Almost any non-tech-support topic may be discussed here. Discussions on religion and politics are not allowed, except for politics directly related to free and open source issues. Any topic or discussion that causes problems or drama will be closed. This area is intended for fun and community building, not arguments. Please take those elsewhere. Thanks!

[fuduntu]

No Fedora is less secure when it comes to remote access. I should have added that in my 1st post about that. Sorry!

We all know Fedora uses root as admin account so all we need is the password after we end up on the login prompt.
We all do NOT know what Ubuntu uses as sudo account so you need both username and password when you get to the login prompt.
In this respect Ubuntu's way is more secure.

The caching of the sudo password is not a problem cuz if you can access that you do not need the sudo password anymore

===

What TS poses is flawed: I say that if a user needs to input a password for someone else to gain access to that system the flaw is not with the OS but with the user.

Ubuntu is NOT flawed. Btw! Fedora is not flawed too. Just not my OS

So, Fedora requires the root password which is different than the user password.

Ubuntu requires the user password to sudo which is the same as the user password.

Tell me again how Fedora is less secure? Fedora requires two distinctly different passwords, where Ubuntu requires one. I would argue that it is much less likely that the root password would be exposed than the user password, not to mention that the firewall disallows remote SSH connections by default.

Ubuntu is actually flawed. I proved this last year.

[NightwishFan]

https://help.ubuntu.com/community/RootSudo

[1clue]

Wow.

I can't believe so many people argue how unrealistic it is to get a trojan onto Linux.

It can happen, it does happen. Security breaches can and do compromise Linux systems all the time, either due to the persistence of the attacker or through the ignorance of the system administrator.

The OP is exactly on target, except his example is ridiculously obvious and assumes an idiotic system owner with sudo access. There are several things that make what he's saying much more realistic and much harder to defend against in the real world.

1. You can modify one line in /etc/sudoers to enable any authenticated user to run any command on the system as root with no password.
2. I guarantee that a bunch of people have done it, no matter how stupid it actually is to do so
3. There are tons of malicious ways for malware to use your computer without actually harming your system.
4. Modern malware doesn't necessarily want to harm your system, because chances are your system has nothing of significant value.

Here's an exercise:

Type echo $PATH and see if it contains /home/youruser/bin. Also check if it's in the beginning of $PATH or toward the end. Lots of users add some user-writable directory to $PATH and add it at the beginning of the variable. That's a security hole because the system checks the directories of $PATH in order, and executes the first example of the command it finds. So I could have /home/1clue/bin/ls overwritten by the trojan, and it's running as me next time I try to use ls.

So, if I'm lazy and have made that change to /etc/sudoers, suddenly they can run anything they want as root. If not, they can still run anything that's installed into a directory I can write to, and if they managed to get that ls idea to work then they can also modify $PATH to their liking for that session. And they can add a crontab entry under my user, and they can do anything a normal user can do.

So, what can happen? One of the common things to do is set up an IRC server or client, which either exposes itself or monitors some foreign site for a trigger. When the trigger happens, they can either run a DDOS attack on some site or they can make a few apparently random pokes at some site they believe to hold valuable information, and then stop for awhile. In all, the apparently random pokes made on your system match up with similar pokes from hundreds of other sites, which makes an intelligently coordinated distribute attack on some site with credit card information or whatever. They don't need root access on your system for that, just your default access.

So some of you are asking how such a file would get on your system and how it would be executed. That's not hard either.

How many of you have installed Linux in the first place by burning an iso file you downloaded from a random mirror site? Do you even know that you used a mirror? How many of you verified the md5sum of that iso file before you burned it? How many of you paid any attention to security warnings on the site since then? You could have installed that malware yourself when you installed Ubuntu.

One of the most common methods to introduce malware is to piggyback it onto some trusted install and then hope nobody notices. It's usually on a mirror site somewhere because mirrors are often unattended and the security may be lower there. If they offer a checksum of some sort for the image, you'd better use it. That whole practice came about BECAUSE it was a problem, not in case it was a problem.

Synaptic checks files before installing so chances are pretty good those files are uncorrupted, but any application you might have installed outside that mechanism aren't so safe and you should validate them any way you can.

Finally, those pages referenced which refer to viruses and Ubuntu fail to mention trojans or even malware. The thing that makes viruses so insignificant for Linux is only true for viruses, not for malware in general.