The worm that didn't turn up (Guardian)
How have I achieved this blissful freedom? Simple: by using only computers running Apple or Linux software. No special geeky skills required - just common sense and a desire to avoid pain. For six years, I have enjoyed all the benefits of networked computing without experiencing any of the downsides."
Posted Aug 21, 2005 16:37 UTC (Sun)
by pointwood (guest, #2814)
[Link]
Posted Aug 21, 2005 19:05 UTC (Sun)
by mormop (guest, #13775)
[Link] (1 responses)
Posted Aug 22, 2005 7:41 UTC (Mon)
by janpla (guest, #11093)
[Link]
Posted Aug 22, 2005 10:11 UTC (Mon)
by etymxris (guest, #30811)
[Link] (2 responses)
I'm an avid fan of Linux and use it as my primary OS (work requires Windows), but every OS has its vulnerabilities. I prefer Linux not because of its security, but because of its open philosophy. Linux could be less secure and I'd still use it.
Posted Aug 22, 2005 14:47 UTC (Mon)
by AnswerGuy (guest, #1256)
[Link]
A Linux box is not inherently any more secure behind a NAT (network address translation) router than it was on a publicly routable address if you simply limit the open (listening) ports and the range of source addresses which are allowed to access specific services.
Yes there are many people who have had their Linux box "rooted." Often they haven't detected the compromise for a long time. However, I can say from long experience, that Linux has made significant improvements over the last few years. After the days of Ramen, Adore and Lion we've found that Linux worms and remotely exploitable arbitrary code and root vulnerabilities are getting to be far less common and somewhat more difficult to exploit.
As the mainstream distributions integrate more kernel hardening features (like SELinux, much as I detest its complexity; and systrace, the grsecurity patches, etc) then things should continue to improve.
Convincing the major distributors to further encourage better security with better defaults, guided installation and configuration dialogs, and some additional packages should also help.
All major distributions should ship with chkrootkit and/or rkhunter and bastille. They should default to installing and configuring them (or at least recommending them and requiring a user/admin to specifically reject them)
ssh continues to be one of the scariest vectors for possible vulnerabilities. It's ubiquitous and privileged. It would be vastly better for ssh to be more locked down by distributors' in their default configurations. I routinely configure sshd to limit the allowed source addresses (both using its own TCP wrappers entries in /etc/hosts.allow and using appropriate iptables rules). I also require that all connections have pre-shared host keys and that all users have keys (no passwords allowed). I sometimes set up specific gateways systems where I loosen these restrictions a bit; but the tighter configuration is the default.
Recently I've been seriously considering using a port-knocking configuration on systems that need to have a more open ssh daemon. This would allow any authorized user, from anywhere, just using a password --- but only after they sent the right combination of blind connection requests.
The idea of all these measures is to limit the visibility to port scanning and brute force while still permitting remote administration.
JimD
Posted Aug 22, 2005 19:14 UTC (Mon)
by job (guest, #670)
[Link]
Posted Aug 22, 2005 10:20 UTC (Mon)
by Felix.Braun (guest, #3032)
[Link] (2 responses)
In my opinion this is not true. Computers are complex beasts. Getting security right is difficult and using Linux or other Free software is no silver bullet. Conversely, with a decent understanding of the issues involved, it is perfectly possible to run a stable and secure system on Windows.
The advantage that Linux does have (don't know about MacOS) is that the underlying system architecture has been designed with security in mind, so that it can be made more difficult by the system administrator or distributor to mess things up. In my experience this is not true of Windows. The default install requires lots of more tweaking to become a secure and controlable environment.
However, if new users make the switch to an alternative OS believing that this will magically fix all their problems, they will be disappointed.
Posted Aug 23, 2005 0:05 UTC (Tue)
by xoddam (subscriber, #2322)
[Link]
Posted Aug 26, 2005 16:31 UTC (Fri)
by giraffedata (guest, #1954)
[Link]
I know it's an open question why worms are less of a problem for Linux, but I think I have to rule out security-conscious design. It can't be that because it doesn't matter how many security holes there are; one is enough. And Linux does occasionally have them. We read in LWN all the time about Linux bugs that allow someone to take over virtually everybody's Linux system, but it never happens.
Another theory of Linux's superiority is that Linux users are more likely than Windows users to apply the fixes before someone can exploit them. One fact in support of that is that, regardless of how many security flaws there are in Windows, nearly all Windows worm infections wouldn't happen if all the Windows systems were up to date (i.e. the fix was available before the infection). That makes it look like a problem of applying fixes, not of existence of bugs that need to be fixed.
I like the last paragraph :)The worm that didn't turn up (Guardian)
I have a simpler philosophy. If I have friends and relatives who use The worm that didn't turn up (Guardian)
Linux, I tend to hear from them rarely enough (on tech subjects) for me to
help out. If I have friends or relatives who run Windows, I charge £20 an
hour.
Removing the latest malware pays enough to compensate me for the bite
marks on my tongue.
Yes, you can see why there are some that really don't want everybody to switch to a sensible OS; they would suddenly be without a job.The worm that didn't turn up (Guardian)
I avoided the worm because everything I have is behind a NAT. I was running a hacked Linux box several years ago for months without realizing it. That box wasn't behind a NAT.I avoided the worm too
Many worms work just fine through a NAT or proxy (as some of them canNAT is not a Security Feature
exploit bugs in the clients behind the firewall).
Most MS Windows worms are spread via Active X or executing code on the I avoided the worm too
client using holes in Outlook, Internet Explorer or the Office programs.
Using NAT doesn't help one bit against that. It is also a false sense of
security to use NAT or firewalls to protect a larger network, since the
first infected laptop to enter the network will infect everyone else.
This is often the case with big corporate networks that may be very
locked down at the gateway but wide open inside.
I can't help but think that this sort of testimonial is a double edged sword: While it is good to remind everybody that there are viable alternatives to the mainstream Windows desktop, this article makes it seem as if by making the switch to one of these alternatives, all troubles will automatically cease "no special geeky skills required".Security Through Obscurity
> using Linux or other Free software is no silver bullet. You're safer playing with a play-it-safe crowd
True, but the fact that the free software ecosystem is inhabited
largely by security-conscious administrators and more secure
default configurations means that the chance of being compromised
will remain much smaller if you're running such a system. I
reckon this will continue to be true even as free software becomes
a preferred choice; population is significant but perhaps not the
most important variable.
It's like immunisation. As long as a large proportion of the
population is immunised against the old plagues, the incidence
is minuscule; a minority of parents can choose not to inoculate
their children and get away with it. But as the proportion of
unprotected children in schools and kindergartens approaches a
critical mass, epidemics become increasingly likely to recur.
Security Through Obscurity
The advantage that Linux does have (don't know about MacOS) is that the underlying system architecture has been designed with security in mind,