Linux Security Discussion

[snoopy]

I made a new thread b/c I didn't think it belonged in the windowing D3 discussion, but I wanted to comment.

Bottom line, I think that for Linux security:

The many eyes theory is correct and does apply. Security holes are more likely to be identified and will more quickly be addressed in an active open source community.

The underlying kernel & user privileges model is more secure.

The underlying concept of fine-grained administer control can potentially yield most security.


At the end of the day, any system is exploitable given to proper time & resources.

[Isaac]

Yup. Agreed 100%. I'd like to add, I can easily tell when I'm getting attacked in the logs. Is there an equivalent to /var/log/auth.log in windows by default?

[roncli]

Event Log. Not nearly as versatile.

[Krom]

20-30 years ago malicious programmers wrote viruses just to see if they could do it, or for no other reason than just to cause trouble, or other rather pointless/egotistical reasons, so the targets they picked were basically at random. However, today the vast majority of malware writers are in it for the money. They can make money by stealing identity information, or by using the machines to make fraudulent clicks on advertising networks, or by attempting to hold the data on the infected computer as ransom. The more computers they can infect with their malware, the more money they can potentially earn, which makes Windows the #1 target when attacking traditional desktop PCs. Linux has such a small market share that it isn't even a serious target, so people can't really say one way or another how secure Linux is, because it hasn't really been tested.

I remember a few years ago seeing ads for Apple Macintosh computers, and one of the claims was that people wouldn't have to worry about viruses and how OSX had stronger security than windows. Well that all fell apart a couple years ago thanks to flashback and a few other network worms that cut through OSX security like it wasn't there at all (which was actually an alarmingly accurate description) and it took several repeated patches to finally get it under control.

While people like to joke about how bad security is in Windows, at recent hacking conventions usually the Apple and Linux boxes are the first to fall. The stuff that hits on Windows boxes these days are usually exploits on the software that runs on top of Windows (such as the browser, or a plugin/etc) and the reason is simple: Windows has been hardened to the extent that cracking it is more generally more expensive, difficult and time consuming than it is worth.

So basically you can't call an operating system secure until it can reliably repel the kind of constant assault that Windows has been under for over a decade now, and so far nobody (not even Windows) has managed to pull that one off.

Now if you will excuse me, I have to reboot for the first time in a month because yesterday was Patch Tuesday... -_-

[Jeff250]

I don't think that the argument that desktop linux isn't as popular as Windows is sufficient to explain why it gets virtually no malware. For instance, this doesn't apply to other types of programs. A nontrival percentage of games are ported to linux, so why isn't a nontrivial percentage of malware?

I think that the characteristics of each OS's user base is an important factor. For instance, the linux user base is, on average, much more tech-savvy than the Windows user base, and a Windows user would be more likely to be tricked into running a malicious program. A linux user who also has a Windows box probably doesn't have any malware on the Windows box either.

[Krom]

Yeah, that is definitely a contributing factor, a big portion of the malware installs I deal with usually boil down to user action and no OS or antivirus suite is going to be able to protect the computer from that.

[snoopy]

Another argument that I saw is based on application diversity, but I suppose it can cut both ways.

The diversity found in Linux makes it more likely that a particular attack vector will only work on a sub-population of the user base, not necessarily the whole.\

I do think that Jeff has hit on the primary factor for user-level devices: Usually it's easier to get the user to do what you want than it is to get the computer to comply on its own. Smarter users = less problems. Window's philosophy is to patch all the air leaks. The Linux philosophy is to yell at you saying, "you might be opening an air leak here!"

On an enterprise/data server level that isn't so true... but I think it's also less true (if at all) that windows is more attack-hardened.

[Heretic]

May I ask why Linux has the slowest time in patching zero day exploits?

More responsibility falls onto security staff to stay on top of zero-day attacks. Software developers vary greatly in their ability to respond and patch zero-day vulnerabilities. In this study, the Linux platform had the worst response time, with almost three years on average from initial Vulnerability to patch

http://www2.trustwave.com/rs/trustwave/ ... igital.pdf

[Jeff250]

Another argument that I saw is based on application diversity, but I suppose it can cut both ways.

The diversity found in Linux makes it more likely that a particular attack vector will only work on a sub-population of the user base, not necessarily the whole.

Right--for instance, distros tend to use different versions of php and compile them with different versions of gcc, so php's memory layout won't be the same across distros.

May I ask why Linux has the slowest time in patching zero day exploits?

Hard to say given that the authors give no explanation for this claim. Usually claims like these are using fast and loose definitions of linux, e.g., anything in any of the software repositories. It would be like calling Windows everything on download.com or OS X everything in the Apple store.

[Krom]

Yeah, the fragmentation in Linux is a double edged sword, it limits the scope of many potential exploits, but could also require significant duplication of effort to completely patch a vulnerability in all distributions/configurations. So rather than saying it takes 3 years for a zero day exploit on Linux to get patched, more likely what is going on is the main branch of whatever is vulnerable is patched almost immediately but it takes upwards of 3 years for that patch to filter through to the potentially hundreds of other branches that could exist (and some of the branches might not even be vulnerable from the start).

The fragmentation probably makes patching vulnerabilities a pain in the ass, but at least on the upside it also probably makes actually exploiting them just as much of a pain in the ass.

[Jeff250]

Packages in the Ubuntu "main" repository (e.g., Firefox, the LAMP stack, etc.) get patched fairly quickly (on the order of days) after the corresponding upstream release. For packages in the "universe" or "multiverse" repositories, Ubuntu doesn't promise to keep these up to date with patches (although for many packages they still do), so for many of these packages, it isn't even "three years" but "never" until they are patched.

[Sirius]

There was some recent study/data analysis/something similar - I think commissioned by MS but I'm not totally sure - that found that the lesser-developed nations had a higher prevalence of malware infections. Seemed like just about a linear scale - western world with the fewest, BRIC in the middle, Africa and the likes with the most.

Of course, that could mean any number of things, but I'd guess it's an education and thus computer literacy phenomenon. If it is, it'd back up Jeff's point - the demographic that runs Linux as a desktop OS pretty much registers on the nerd quotient scale about where the demographic that develops games registers on the gamer skill quotient scale. They might not always be like that, but on average, they're pretty far up there... and those people are hard to dupe into getting infected. Or social engineering attacks, which are generally the most effective in the first place.

The one thing I have no real idea about is whether Linux is more secure than Windows or vice versa though From what I've read above, there seem to be both pros and cons to their approaches, but when you add them all up... well, actually, maybe Linux should come out ahead? You're targeting a more fragmented ecosystem largely filled with fish that won't bite, so who's going to bother?
Anyway, doesn't really matter much to me; both take security pretty seriously and you're fairly safe with either as long as you know what you're doing. Even back in the inglorious days of Win9x I only recall getting infected once (and that was my fault; e-mail worm).

Ahh, 9x. Were ActiveX controls enabled by default then? If they were, all it'd take is one rogue webpage and someone could take over your computer without even having to bypass, y'know, security measures. Unsigned binary? They probably all were anyway. Sandboxes? What's that? Elevation of privileges? Who are you kidding, you already have them all. Worse, no kernel/user mode separation, so once your code is running, you have complete control over the hardware, all the memory, interrupts... could pretty much stop the OS even seeing the CPU if you wanted. Good times.

[Isaac]

Malware in the Linux community will never really work as it did with Windows.

If I were to write malware for Linux, it would have to be done by making my program into a deb. So i would have to convince Ubuntu users to download my app. I could do this by writing a tutorial on something and having my app be a step in the process. Easy, but there's a problem.

The newest Ubuntu users would rely on the standard repos (Think of an app store where everything is free), which kind of has everything general users need. Advanced users would probably never bother with my malicious tutorial, so that cuts them out. Moderately experienced Ubuntu users, like me, would rely on the big forums for ways to do things, so my little tutorial won't snag very many of those.

Once an advanced user finds my tutorial they will identify it as a threat and post about it.

[Krom]

I'm not sure that really counts as praise for the OS, since what you are basically saying is that installing stuff on Linux is so complicated that stupid people can't do it... But besides that, that isn't really a security feature, it just brings us back to Jeff's earlier post about the average skill level of the user base. Advanced Linux users would be just as unlikely to get tricked into installing malware on a Windows box.

And all that is assuming you couldn't just find some vector that would let you craft an attack page or network worm that would infect the machine without requiring any user action other than browsing the page or just being connected to the network.

[Jeff250]

Double-clicking a *.deb file is just as easy/dangerous as double-clicking an *.exe!

I was using Google Hangouts the other day, and they had me install their plugin via a *.deb. I trusted the download, since it was from Google's domain and via https, but for a lay user, it could have just as well been any site requesting I do that.

What's worse is that a *.deb file has no built-in digital signature apparatus, so there's no way to determine from looking solely at the *.deb that it's from whom it claims to be from.

[Isaac]

Krom, I'm not calling them stupid. That's just the behavior I see.

Every person I move to Ubuntu uses the repos for everything they need. If they need something extra, I do it for them. But the fact that repos are easy to use keeps new users away from random websites.

[Top Gun]

I've been going through hell and back over the past few days trying to get an Ubuntu install up and running (just for the sake of a silly TF2 item), and as part of my travails, I had to utilize a PPA set up by a cool dude that fixed an issue with a Catalyst driver. Now this thing was referenced and recommended all over the place on official Ubuntu sites, so I knew it was legit, but if that wasn't the case, I'm sure I could have easily grabbed something that would royally screw over my system.

[Jeff250]

Did you do this?

https://wiki.ubuntu.com/Valve#AMD.2BAC8-ATI_Graphics

(Most people once they switch to linux just stop buying ATI.)