Ubuntu/Linux/Windows and Viruses/Malware

[az]

Would you say it's secure more because it's open source, or because it's good design? While open source is definitely a bonus, I think that good design is by far the bigger factor.

Bad design gets changed over time or dumped for something better when using open source. If it is closed source, chances are there are fewer motivations to change it if it works.

[sonny]

Regarding passwords. No system/program/website/whatever with decent security in mind would ever store a password. A hash (also called checksum) of the password is stored instead.

You have probably heard of or even used checksums. If the checksum of what you downloaded and the checksum of what the developer published matches then you know the download has not been altered on the way. In the same way, if the hash (or checksum) of what you entered, and the hash (or checksum) in the password setting matches then the system knows you entered the right password.

So there is no stored passwords to steal.

Still. All the security in the world won't help if your password is a real word or anything else that is logical to use as password. A program can try whole dictionaries of all real words and all things known to have been used as passwords before.

I think (not sure though) there is a 1 secound delay after each failed login in linux which means the program can try only 3600 passwords per hour, but stealing the password hashes would allow the program to try passwords against the hashes without the delay.

Still, if your password is something that is not in any dictionary or database over known passwords then you are safe until you accedently give it away. Perhaps by using the same pass on a low security online game that does store passwords and gets hacked. Or by entering it in a fake login prompt. Or by logging in from a school computer that another student put a logger on. Or..... Well there is a lot of ways to reveal it.




Personally I never use the same pass in more then one place. All my passwords are L33t-$pE@k of one or two misspelled swedish words with a 3-4 digit random number thrown in, which is semi safe while still possible to remember.

Ok.. I think I get the point, so it's almost imposible to break into a 9+ digit password machine. I'll change my password, I'm 1 digit from that...

[Big Venus]

But then too linux being open source, people are finding bugs and security vunerbilities everyday and contacting the people that make the code and they modify it and there goes a patch or update version of the app. So I would think that if it is a legitimet site and lots of people used it, I would think that it would be safe to use, but then if it was something that not alot of people use like say "evince" then I may doubt it was safe to use.

[virgule]

My password is 18 characters long with capitals and numbers in the middle of the word spelt backwards in an ancient non Indo-European language older than Latin. Think I'm safe?

If your password is "go" "pass" "login", something stupid like that or a dictionary word then that's your own fault!

What about chars who look similiar to each others like l, 1, | , 0, O, c, (, j, i, !? I'd say
4!1B13(CD|lidboe&0O is quite a secure password does it?

[poofyhairguy]

How hard could it be for a virus to gain SU privileges in Linux?,

Very hard...we don't have a default su account in Ubuntu.

cuz I mean is just a password, there are thousands of password breaking tools out there, so I suppose the real question would be, how secure is your admin password in Linux, more specific in Ubuntu cuz there's a lot of questions about using sudo instead of su?

In this case...Ubuntu's downfall would be social engineering (aka someone tricking you into telling them your password). No OS can defend against that.

[egon spengler]

Regarding passwords. No system/program/website/whatever with decent security in mind would ever store a password. A hash (also called checksum) of the password is stored instead.

You have probably heard of or even used checksums. If the checksum of what you downloaded and the checksum of what the developer published matches then you know the download has not been altered on the way. In the same way, if the hash (or checksum) of what you entered, and the hash (or checksum) in the password setting matches then the system knows you entered the right password.

So there is no stored passwords to steal.

on it's own a hash provides only authentication, not privacy. it's no surprise that passwords are not stored in a plaintext file, that would make things too easy for an uninvited visitor but as you said it's no defense against a brute force attack. i wonder if it's public knowledge which hash algorithim ubuntu uses? if it is then IF someone was able to obtai the digest of your password then it wouldn't be too hard to retrieve the password

[az]

Very hard...we don't have a default su account in Ubuntu.

Ever read "Smashing the stack for run and profit?"

Every single vulnerability that is labelled "priviledge escallation" is just that - something that can become root. There are many such vulnerabilities. Nothing is secure.
All things being relative, it is a bigger concern on a microsoft system, because it is easier to exploit and the vulnerabilities are generally more severe.

[sonny]

on it's own a hash provides only authentication, not privacy. it's no surprise that passwords are not stored in a plaintext file, that would make things too easy for an uninvited visitor but as you said it's no defense against a brute force attack. i wonder if it's public knowledge which hash algorithim ubuntu uses? if it is then IF someone was able to obtai the digest of your password then it wouldn't be too hard to retrieve the password

So as my understanding... the machine doesn't keep the password, only generates a hash for the password, then an algorithim to match up with the hash. Am I right, or I missunderstood the whole thing?... I'm asking all this cuz I often get this questions by windows above-average-educated users, so please teach me.

[Optimal Aurora]

That is why it a program that is the equilivant to antivirus needs to be default for the ubuntu installation... No system is ever completely secure, however with selinux and other programs like (antivir and others) should be worked on regularly... Heck a Mac OSX or OS9 etc... never seems to have a virus on it but they do from time to time, so that is why we need to make one for linux, if over 2500 HPD is registered on Distrowatch and I know a lot more people than that actually use ubuntu and linux in general, WE NEED AN ANTIVIRUS PROGRAM THAT IS ALWAYS UP TO DATE. Sorry for shouting but I wanted to make a point...

[egon spengler]

So as my understanding... the machine doesn't keep the password, only generates a hash for the password, then an algorithim to match up with the hash. Am I right, or I missunderstood the whole thing?... I'm asking all this cuz I often get this questions by windows above-average-educated users, so please teach me.

one of the properties of a hash is that when a text string is entered into it it produces a unique output. lets say for example i apply my hash to your name sonny and it produces the output "skirufy748fhvn". sonny should be the only word in the world that will produce that same output of "skirufy748fhvn".

what i imagine ubuntu does is when you create a password the actual password is never saved, instead the string entered is hashed and saved as password-digest. from then on whenever you enter a password the password you enter is hashed and compared to password-digest. because a string should always produce a unique output when hashed if they match then it means the correct password was entered