tag:blogger.com,1999:blog-33801994.post8427449759337834590..comments2024-02-14T02:30:36.732-05:00Comments on The Blog of Helios: What Myth Do You Want To Kill Today?Anonymoushttp://www.blogger.com/profile/13978117986484281976noreply@blogger.comBlogger58125tag:blogger.com,1999:blog-33801994.post-91213399833866420522009-11-13T14:31:45.970-06:002009-11-13T14:31:45.970-06:00@kozmacrae, quite so. And really the attitude is ...@kozmacrae, quite so. And really the attitude is understandable considering the industry giant, the one smaller companies aspire to kick off its pertch, absolutley will not tell you about a flaw in its software. <br /><br />You can see the same attitude from the Xbox360 users and the RRoD issue: it's not the machine it's the user/developer because dust/didn't lift the powerbrick/pushed the machine to hard/whatever. It's never Microsofts fault. <br /><br />Indeed OSS's tendancy to go "Yep, that's a problem" is used against us because well... MS is 100% fault tollerant so we're not.Van'https://www.blogger.com/profile/03338605055348655505noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-86018046259834483812009-08-30T01:46:34.762-05:002009-08-30T01:46:34.762-05:00Amen Helios, Amen!Amen Helios, Amen!mtinmanhttps://www.blogger.com/profile/04266504767348487564noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-14198864552393826092009-07-17T21:38:48.593-05:002009-07-17T21:38:48.593-05:00Security if more than an operating system, it is a...Security if more than an operating system, it is a mindset. If the mindset is wrong, then the OS won't save you.<br /><br />I mention this because there is a world of insecure Linux machines on the Internet right now -- in boxes marked "ADSL modem". Those machines run everything as root, can't be automatically upgraded, don't run SELinux, etc.<br /><br />The difference between Windows and Linux is that if you set about making Linux secure you end up with a machine not too far from what came out of the distributor's box, whereas with Windows you end up with a very customised machine that isn't useful for very much.Glen Turnernoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-21849512977352663192009-06-29T14:49:24.906-05:002009-06-29T14:49:24.906-05:00Regarding Ubuntu firewalls:
Ubuntu does come with ...Regarding Ubuntu firewalls:<br />Ubuntu does come with a firewall called ufw. It's pretty easy to activate, but could be easier.<br /><br />Cannonical could, in the Ubuntu install process, ask if the user wants the firewall activated, and how.Lester McGrath-Rosariohttps://www.blogger.com/profile/11526938553334674230noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-61355888406592047012009-06-28T02:55:18.837-05:002009-06-28T02:55:18.837-05:00Despite some technical inaccuracies, Ken has it. B...Despite some technical inaccuracies, Ken has it. But there's more.<br /><br />Recently there was a bit of publicity over an article that claimed it was possible to circumvent the use of the execute permission, so a user could download a malicious file and double-click it to run it, and that it could eventually gain root permission through some trickery. It used a .desktop file to do this.<br /><br />When the Windows fans responded to the article with "Haha, Linux is insecure" they were forgetting a couple of things:<br /><br />1. Only Gnome was fully vulnerable, as it neither displayed the ".desktop" extension nor required the file to have execute permission.<br /><br />2. KDE's behaviour toward the file would raise alarm bells for users, and XFCE would require execute permission for the file (so, basically unaffected).<br /><br />4. The VERY NEXT version of Gnome contained a comprehensive fix for the theoretical vulnerability - the .desktop extension is now displayed for any .desktop files that have not been created by Gnome, and if you try to use one of those files it gives you a warning.<br /><br />Compare that to Microsoft. Firstly, every piece of software is immediately runnable on Windows anyway; so a Linux distribution with the flaw becomes as secure as Windows, not less secure. Secondly, this sort of non-critical vulnerability would take Microsoft months to fix, and could take Apple up to four years to fix (if we take the setuid Applescript vulnerability as an example).<br /><br />Thirdly, the vulnerability affected something like 40% of desktop Linux users (Gnome users only); on Windows, a vulnerability like that would affect 100% of desktop Windows users, and possibly a large number of Windows CE/Windows Mobile users.<br /><br />Mac OS X hasn't really been attacked much because there aren't as many crackers with OS X, and there aren't really many users. Apple has frighteningly-bad security auditing that has resulted in leaky firewalls, privilege escalation attacks that use the design of the system rather than the implementation (can't be fixed without breaking program compatibility), a guest user account that can still run code after logout, and designed remote code execution in Safari.<br /><br />Linux systems, at least, are designed with a bit of care toward secure practice.Christopher Leesnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-88202997282982086932009-06-26T12:40:25.946-05:002009-06-26T12:40:25.946-05:00It wholly depends on how that Unix system is struc...It wholly depends on how that Unix system is structured and administrated. The Pwn2oWn contest of 2008 hacked the mac in like some ridiculous time...4 minutes or something but they used a java/flash exploit to do it. Your system may be rock solid but if your browser is wonky, then it is the weakest link in the defense.<br /><br />On a side note, I remember the hackers, after being asked why they could never make Linux fall, responded that if they only had a few more minutes, Linux would have fallen too. Well, it's been two years almost and it still hasn't fallen. Whoever hacks Linux after those guys failed has some huge cred coming their way and you would think that if it could have been done it would have been.<br /><br />Mac fell because of sloppy peripheral policies...not because the Unix backbone was deficient in any way.<br /><br />This whole argument has been interesting but I think helios boiled it down nicely.<br /><br />"You must use antivirus, I do not, deal with it.Andrew Magnus UT-Austinnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-74277233717161237942009-06-26T11:47:43.035-05:002009-06-26T11:47:43.035-05:00I recently heard an "expert" on radio us...I recently heard an "expert" on radio use this same argument against the Mac OS: "It's not as popular as Windows so there aren't that many viruses created for it". <br /><br />Does the explanation Helios uses for Linux apply to all Unix based systems, or just Linux?Lester McGrath-Rosariohttps://www.blogger.com/profile/11526938553334674230noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-52331386647135898342009-06-23T14:54:15.356-05:002009-06-23T14:54:15.356-05:00I think that while Linux is more secure overall, i...I think that while Linux is more secure overall, it is far from bulletproof. <br /><br />If Linux Desktops get more popular, you'll see more 'viruses' designed for it. I am pretty sure servers are attacked too. The good part is that the Viruses designed for Linux have to be fancier, that all.<br /><br />Also, nothing prevents attacks based on Social Engineering, the main security hole is ALWAYS between the chair and the keyboard.zelrikhttps://www.blogger.com/profile/05352442374426769245noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-18371883943090470122009-06-23T09:37:29.151-05:002009-06-23T09:37:29.151-05:00"LOL, you might want to take a stroll around ..."LOL, you might want to take a stroll around Sourceforge until you get comfortable. I only found three in ten minutes.<br />Besides, there are some of the most sophisticated intrusion detection apps in Linux that you could want, all real time and they operate independently of any firewall."<br /><br />That so? Please share with us, I've been looking for a firewall with a GUI that allows me to know if (a known or unknown) app suddenly needs access to the network. Last time I checked, there was ONE app that did exactly what I wanted, but the project had been abandoned years back.<br />These three firewall projects you're referring to, are they like a one-man's-job or something? Good documentation?<br /><br />The various IDS solutions in Linux are great. But most of them a pain to configure if you're a semi-newbie like me. Take snort for instance - a great piece of app but a pain in the __s to configure. Samhain is a decent one but looks better on paper than in real use... well for some reason Samhain doesn't jibe well with my system. No GUI btw. <br />Comodo has an excellent IDS with a GUI that works well and can be installed independent of their pro suite.<br />I believe there is Snort for Windows as well.<br />Actually, there are tons of good IDS apps for Windows!<br /><br />I want to repeat that if you run Windows as a regular user, implement Software Restriction Policy and have set a conservative file/folder permissions you don't even need an antivirus or IDS - you could use AV for scanning email messages but same goes for the Linux box. You're at least as secure as you could accomplish with Linux + other security apps.<br /><br />In many distros, you don't even get a firewall. Ubuntu for example doesn't come with one. Hundreds of thousands of ubuntu-users don't use a basic protection layer as a firewall and with no security measures taken, plus an ill-configured sudo file, they think they're so secure because everybody else says Linux is so secure out-of-the-box. I simply don't buy that.<br />Fedora and CentOS are serious distros that take security seriously and they both come with a firewall and SElinux.<br /><br />What about unnecessary services/daemons that many distros still uses in their default configurations that make your vulnerability landscape so much vaster? (Same can be said for Windows but I've already said there are pros and cons for both systems.) <br /><br />BTW, Windows has better file permission config options than Linux. All available via a nice GUI.<br /><br />I may sound like a Linux basher but i'm not. But I'd like to see some balance in the arguments for the pro's and con's every OS have.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-23376984045064445472009-06-22T09:59:02.084-05:002009-06-22T09:59:02.084-05:00If anyone has bothered to read this far, I believe...If anyone has bothered to read this far, I believe the article makes some good points but misses the biggest:<br /><br />Security is a process, not an event or product.<br /><br />That process is easier with *nix.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-3431311735811857422009-06-22T08:33:50.835-05:002009-06-22T08:33:50.835-05:00@PV
Mac OS X is built off of BSD and as such carr...@PV<br /><br />Mac OS X is built off of BSD and as such carries many of the same ideologies as *nix does, therefore I think it is, for the most part, safe to say that it will be secure even out of obscurity. Yes, there are still some flaws that creep in - it was vulnerable to the same Java flaw that Linux was for far longer than it should have been, but that should be proof that they are pretty secure.<br /><br />Yes there have been a couple trojans, but they were carried through pirated software that required the users to enter their password to install - stupid user tricks that will compromise any *nix, Windows, or OS X box.<br /><br />You also sign over rights in the EULA, but as far as a mainstream for profit OS goes it is still leaps and bounds more secure out of the box than Windows is.Reidhttps://www.blogger.com/profile/17941547888370418705noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-6941317805439694192009-06-22T06:22:13.498-05:002009-06-22T06:22:13.498-05:00These are (some of) the decisions that made Window...These are (some of) the decisions that made Windows the reed basket of sea faring ships.<br /><br />1 Graphical applications have direct access to hardware and effectively have administrative privileges<br /><br />2 Any browser will run ActiveX downloads with Administrator Privileges. What root password? Simply click yes.<br /><br />3 Internal communication between OS components goes over network port numbers (yes it really does), making them instantly available to the world<br /><br />4 Email JavaScript is executed, as are any attachments if opened. The same in IE.<br /><br />5 All applications settings are done in the Registry, which requires Administrative rights. This is not necessary anymore, but there are still too many applications that do this.<br /><br />As an exercise to the reader, equate any of the security problems below to the decisions above.<br /><br />Problem:<br />Why does Windows alone under the OS', and only Windows have virusses?<br /><br />There are no virusses KNOWN to any version of *nix. That is not quite true, Mac OSX saw its first virus in February 2006:<br />http://www.sophos.com/pressoffice/news/articles/2006/02/macosxleap.html<br />Still, I have never seen a Mac virus in my life, and never heard of them outside obscure AV vendor sites.<br /><br />Problem: <br />Drive by javascript attacks.<br />Why are they Windows only?<br /><br />Problem: <br />Why do I need a personal firewall for Windows only?<br />Under Linux and OSX, you do not need a firewall because you will not open ANY service to the network. <br /><br />WinterAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-27365628844759035482009-06-21T11:27:46.765-05:002009-06-21T11:27:46.765-05:00Time to get all hardcore about the evils
of Mafia ...Time to get all hardcore about the evils<br />of Mafia Soft!<br /><br />http://www.groklaw.net/article.php?story=20090619161307529<br /><br />Up with this the Colonel will not put!<br /><br />Time to kick butt and take names! The <br />Colonel has the pencil.<br /><br />Thanks for shaking their cage Ken.Colonel Paniknoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-44158851072514548452009-06-21T02:55:03.165-05:002009-06-21T02:55:03.165-05:00"They have so little faith in the Windows pro..."They have so little faith in the Windows product that the default answer for absolutely everything (even minor issues) is to completely wipe the system FIRST. Without hesitation."<br /><br />Thats a different issue altogether, though. Especially from an OEM's standpoint. As a former tier-2 agent of a major OEM, I can attest to that.<br /><br />It costs the OEM nothing for a customer to preform an FFR (full format and recovery) on their system. However, it can cost them in excess of $200 in shipping costs alone for "in warranty" repair service.<br />Thats why formats are required before depot service can be rendered.Unknownhttps://www.blogger.com/profile/02243943312135037925noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-44200183269085932612009-06-20T18:04:14.673-05:002009-06-20T18:04:14.673-05:00Security is a virtue, either you practice it or yo...Security is a virtue, either you practice it or you do not. The operating system is not the answer. however I still feel a lot safer running Linux then I ever did running windows. I believe it is a mistake to promote Linux on the issue of security. That is after all, the user's responsibility. Instead we should make an issue of what the GPL was created to protect, our rights. Unfortunately this is harder to convey to people, especially when they view their computer as an appliance and not what it is, a general purpose programmable computer.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-22126826968044420772009-06-20T15:07:23.805-05:002009-06-20T15:07:23.805-05:00It's funny, this blog has made me hyper-aware ...It's funny, this blog has made me hyper-aware of the whole Microsoft support "ecosystem".<br /><br />I'm a hardware noob and the last time I needed support I had to *argue* with the "certified expert" that I was experiencing a video hardware issue and not a Windows problem. He still wiped my system completely and claimed it was fixed only for me to prove him wrong when it crashed again. A new video card fixed the problem instantly. He didn't even try.<br /><br />They have so little faith in the Windows product that the default answer for <i>absolutely everything</i> (even minor issues) is to completely wipe the system FIRST. Without hesitation.<br /><br />It's like cutting off your arm to treat a bee sting.<br /><br />Further proof - MS support techs will recommend that your system needs to be wiped at least twice a year to remain functional. One book I read recommend every 4 months! That's insanity! Who buys into a system like that?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-81278848382529899572009-06-20T07:40:22.694-05:002009-06-20T07:40:22.694-05:00Ken, well done. I find it extremely amusing that ...Ken, well done. I find it extremely amusing that some of your detractors use "proof" as ridiculous as your original premise. What they are doing is basically explaining to us that they have so much emotional time and energy invested in Windows that they will resort to nasty comments and half-baked arguments to try to justify their allegiance. As a 17 year system admin, I can't find any that, to your point, succeeded. There are however some valid points about user responsibility. I might suggest a future article on how to sensibly secure a Linux machine. Surely you don't have to jump through the hoops we do that administer IIS.<br /><br />You mentioned the space shuttle. There are a number of Linux and Open Source mission critical apps that run on the shuttles. My best justification for using Linux apps there can be found in twisting an old movie blurb:<br /><br />"In Space, there's no one there to reboot"<br /><br />Again Ken, well done.<br /><br />JohnAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-42017068386646276872009-06-20T06:24:02.021-05:002009-06-20T06:24:02.021-05:00"Oh yeah...well Linux is only secure for idio..."Oh yeah...well Linux is only secure <b>for idiots</b> because no <b>idiots</b> use it. You just wait until the <b>idiots</b> think it's worth messing with, then you'll see."<br /><br />The truth is that the inherent security of linux vs that of windows is only of secondary importance.<br /><br />It IS possible to keep windows secure without using any additional software like a firewall or virus scanner (provided that there's a firewall somewhere in the network between your computer and the big bad internet), BUT you have to be pretty bright and paranoid and never sleepy. The thing is, it requires 100 times the intelligence needed to install Linux. And if you're paranoid enough to do it you probably run OpenBSD anyway ;P .<br /><br />On the other hand, put an idiot with the root password behind a Linux computer, and you have root. Never mind you don't even need root to be able to do terrible things. And let's face it, we all have our idiot moments sometimes.<br /><br />Step one, convince user to run a command:<br /><br />Send out a "tell your friends" message saying "you'll get a dancing penguins screensaver if you press alt-f2 then type this code...". Or solve a common problem and hide your command somewhere in a script you post to ubuntuforums. Or...<br /><br />It's pretty easy to hide what a command really does and make it look like something different. Beware of `something` (backticks) and $(something), these are usually hints that a decrypt-then-execute is performed by a command, but they have legitimate uses and I'm sure there are other ways to get the same effect.<br /><br />Optional step 2: modify user configuration files so your code gets wrapped around su, sudo and their graphical equivalents.<br /><br />The point of all this is, once the idiots who now say linux is secure because it's not widely used on the desktop start using linux, it's very likely these same people WILL get viruses and other malware, and then say "I told you so".<br /><br />Trying to explain security to people who clearly are too dumb to understand it is just a waste of time, and potentially harmful because they'll expect "linux magic" to protect them from their own stupidity, after which they'll badmouth linux when things don't work that way...The Natnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-24611237534284672562009-06-20T06:11:00.168-05:002009-06-20T06:11:00.168-05:00imo the repo style of installing things in linux i...imo the repo style of installing things in linux is the biggest advantage(about virsu that is) for "linux on desktop".Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-91252764532615616232009-06-20T04:00:29.022-05:002009-06-20T04:00:29.022-05:00"kind of like the first digital STD's&quo..."kind of like the first digital STD's"<br /><br />Far from the first. Computer viri [not virii] are at least as old as 1982—when Rich Skrenta devised a practical joke that attached itself to Apple DOS (and soon got out of control).<br /><br />"Vista actually did implement a stringent Root account system."<br /><br />Which has existed in all of the NT based versions of Windows (incl XP and 2k). Vista is simply the first version to configure it correctly out of the box.<br /><br />It's a good thing, in either case. But even in a unixoid OS, it doesn't save you from bad administration. How many people out there (raise your hands) have sudo configured not to require a password? Indeed, many distros configure it that way out of the box! This puts any programme (even a script) running in the context of a normal user no more than a shell command away from root privs—and free reign of the system. All you need is a remote code execution vulnerability. Owned.<br /><br />Probably the biggest security threat to a unixoid system is its keeper thinking that they have nothing to worry about.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-1326556306412183072009-06-20T03:21:54.762-05:002009-06-20T03:21:54.762-05:00I mis-typed one of the sources above. That is get...I mis-typed one of the sources above. That is getdeb.net sorry<br />hAnonymoushttps://www.blogger.com/profile/13978117986484281976noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-13297301025268241162009-06-20T03:15:41.212-05:002009-06-20T03:15:41.212-05:00That's a good question and one that deserves s...That's a good question and one that deserves some attention.<br /><br />There is always sourceforge. Sourceforge is the clearinghouse for all free software (some refer to it as open source). That particular source is probably just as safe as your own repositories. I've downloaded binaries and source from there for 4 years and never had a problem.<br /><br />Another almost sure bet of clean software is Softpedia.com. They carry an extensive array of Linux applications and again, I've used them for years without incident. <br /><br />Remember, no one posts code anonymously...they may lie about who they are but never anonymously. Brand new coders or submitters tend to be scrutinized harshly until they have "proven" themselves so the checks and balances are strongly in favor of no bad stuff in most places like this.<br /><br />Another good source is from your own forums. Often, distros have little known public repositories that house apps that haven't yet made it into the official repositories. Those are also a good place to go for stuff that isn't in your official repos.<br /><br />You can also go to getdeb.org and rpmfind.com to get your applications that are not housed in the official repos. Those are a lead-pipe cinch to be clean of any malicious code.<br /><br />That was a good question and I'm glad you asked. I am sure I missed some sources so you other folks in the know might want to add to what I've supplied.<br /><br />hAnonymoushttps://www.blogger.com/profile/13978117986484281976noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-26616019951166304302009-06-20T03:06:18.351-05:002009-06-20T03:06:18.351-05:00As a relative newcomer to Linux, I'm always lo...As a relative newcomer to Linux, I'm always looking for equivalents to programs that I used to use under Windows. If I find out about some interesting software, then where possible, I use the version supplied in the repos. However, not all Linux software is available from the "official" repos or, if it is, may not be the most current version. In the last few months I've noticed a number of websites appearing where you can download pre-packaged binaries and even install them directly from within Firefox. Since there is no guarantee that these packages were compiled from the official source, do other people (like me) see these websites as a real vector for the introduction of malware into a Linux system (since the user is deliberately downloading and installing what they believe to be a legitimate package)?CrispBaconnoreply@blogger.comtag:blogger.com,1999:blog-33801994.post-30876215182827699422009-06-20T02:19:12.376-05:002009-06-20T02:19:12.376-05:00youd think _any_ windows user who is also a virus ...youd think _any_ windows user who is also a virus programmer, would be sick of linux users saying "the os virus to population issue, is a myth" youd think that that windows user, also programmer, would love to see his name immortalized as a genius who shut all the li-nutters up. we linux users have all been waiting for some time, for that genius to come along. either he doesnt exist or linux is secure. until it happens, windows users need to put up or shut up.seriouslycgihttps://www.blogger.com/profile/08991027358116019474noreply@blogger.comtag:blogger.com,1999:blog-33801994.post-22803976324048000322009-06-20T01:50:14.559-05:002009-06-20T01:50:14.559-05:00One point that seemed to be missed bu those saying...One point that seemed to be missed bu those saying Linux is not secure. In any properly configured installation, the root password is required to install programs, and also to edit system files. Most of the distros that I have tried/used are this way. Maybe there are ways around that, I don't know. But, with most programs in Linux being installed from secure repositories, and requiring rood access to install things, these 2 things alone make Linux much more secure than Windows. <br /><br />Up until Vista, there was practically no security in Windows at all. Vista had many problems, one being that the UAC was so annoying and intrusive that most people just turned it off. Other security problems with Windows are Active X, the fact that programs can install files to system folders (thus sometimes overwriting system files), and I could go on. <br /><br />Oh, and on ANY system, users should regularly back up important data.Anonymousnoreply@blogger.com