Linux Security

Discussion topics, Linux related - not requests for help

Moderators: ChrisThornett, LXF moderators

Linux Security

Postby acraigon » Sat Oct 22, 2005 9:56 am

I have been using linux for a while now and have always rated it as a better operating system than windows. Recently our servers at work were attacked by a virus which caused the servers to close down and run slowly for approximately 3 weeks. I hasten to add that the servers were windows servers. I also add that I do not work in the IT section but as a mere Caretaker.
This incident got me thinking about Linux. We get the software for linux mostly free our virus scanners and system checkers can be downloaded for nothing. What is to stop the distributers of this software enclosing code that acts detrimentally towards the user. Unless you check every line of code it would be impossible to know what some pieces of software contain.
I guess windows operating systems could contain code that is dodgy but as you pay for this it is in the interest of microsoft to make sure the product is safe. Peoples identities are being stolen daily is Linux as secure as we all think?
acraigon
 
Posts: 26
Joined: Wed May 11, 2005 6:46 pm

RE: Linux Security

Postby RD » Sat Oct 22, 2005 10:15 am

Linux windows is only as secure as you make it!, while out of the box Linux tends to be more secure than windows it gets updated more often than windows too.
RD
LXF regular
 
Posts: 272
Joined: Mon Jul 25, 2005 2:53 am
Location: irc.ixl2.net

RE: Linux Security

Postby nordle » Sat Oct 22, 2005 6:54 pm

A lot of OSS is put out under the authors name, so generally its important for their rep not to put out ethically dodgy code.

Also, most people run distro's, so the packages are put together by the vendor who should hopefully be sticking to quality projects that have been around for a little while, or are at least well known.

I'd be far more conerned about closed source software, you say that Ms would unlikely do anything dodgy as they need to make a profit. The question you might ask is WHAT exactly are they prepared to do to protect that profit?!

Also, was there not a batch of XP SP2 on download from MS site which contained some nasty little viri? I vaguely remember something about it, not sure though, may have just been FUD spread by Linux zealots :)
I think, therefore I compile
User avatar
nordle
LXF regular
 
Posts: 1500
Joined: Fri Apr 08, 2005 9:56 pm

RE: Linux Security

Postby jjmac » Sun Oct 23, 2005 9:08 am

Howdy All :)

It does make me think of a post from the old site --==- not sure how relevant it be, but there seems to be a point somewhere here ... i'll have to dig up the post, i think iv'e probably got it saved somewhere ...

the basic gist was though -=-

A lecture/talk given by Mr Ken Thomson, --- on his experiences with during the early days of UNIX development ---

They applied a very simple smirf on their compiler, well ... simple for them at least that is :)

They designed a code unit whose purpose it was to replicate itself. But only in response to the certain recognitions. It was designed to recognise the "login" program, and also to recognise the compiler it self -=- on a source level. Once installed and compiled it became a kind of "built-in" function. Then the source for that could be removed from the main tree -=- and no one else would be the wiser -=- it is art (grin) -=- the pure simplicity of concept -=- (ouch.png)

The idea of course was to create a secret account, that was able to bypass the permission/security levels that would other wise bloke access. As a means of getting things done. After all, it was their project. And being locked out is not very helpful for the person who is actually trying to write the thing in the first place --- the pass-word was "kt" (grin) ... simple enough i suppose.

development <--> screwups <--> gotta get the work done --> makes sense :)

But --- as the the post pointed out, and as did Mr Thompson himself ... the code __was__ designed to perpetuate itself. And with a lose definition, qualifies as viral :)

A needed emergency way in, but they also wanted to hide it from collaborators, especially people from other companies -=- like ,,, general electric for one.

As Mr KT said (grin) ... I would never work for a company that has me for an employee (hehehe) ...

But -=- the point there, should be obvious -=- i'm kinda hoping so :) ...

Q: ???

What do you think about the "intel" Linux compiler -- !

Seems it benches out a bit in front of gcc ? hmmm -- does it ?, and what does that mean any way.

A bloke did write to the mag claiming a 10 hour saving on what used to take him 30 hours -=- hmmm, not sure if i'm prepared to believe that really, no offence to the mag, -=- i don't think i believe anything i read in mags .. besides, if it ain't on teletubs --- well, then i might believe it -=- ... maybe (grin)

Can a program ,, one that has the purpose of creating binary executables -=- that is ... executables, but also ... image and sound files, can a closed source expression actually be trusted in that context... !

One could always go and ask Darls opinion -=- but i think i can figure what that might just be :wink:



Just some Thoughts :)



jm

spell edi (1):
(it was a frameup boss ... (grin) )
Last edited by jjmac on Sun Nov 06, 2005 9:49 am, edited 1 time in total.
jjmac
LXF regular
 
Posts: 1996
Joined: Fri Apr 08, 2005 1:32 am
Location: Sydney, Australia

RE: Linux Security

Postby guy » Sun Oct 23, 2005 4:42 pm

The mantra of independent security experts is that the code must be open to scrutiny.
Any app that has significant security implications can then be (and usually is) well scrutinised by the community. There are indeed security geeks whose idea of a good time is to check every line of code (face it, it's quicker than writing the code was). It is then extremely difficult for the author to include nasty stuff.

Closed source software is not easily open to scrutiny, and on occasion commercial apps have been spotted illegally passing private information back to home base, for example. Even MS Word has been caught at it (MS pleaded a compile-time woopsie. Twice, IIRC. Of course we believe them). There have been other rumours about Windows, but since the code is not available, who can say? (and that's the problem).

Occasionally, some bad guy will modify someone else's code to do nasty things and drop it back onto the download site or a CD image. One might think that it is easier to pervert open-source stuff, but proprietary apps can be wrapped in something nasty too.

Similar arguments apply to things like exposing and patching vulnerabilities.

Therefore the most open platforms are theoretically the safest. That pretty much means GNU/BSD or GNU/Linux.
Cheers,
Guy
The eternal help vampire
User avatar
guy
LXF regular
 
Posts: 1086
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

Re: Linux Security

Postby CJLL » Sun Oct 23, 2005 5:12 pm

acraigon wrote:We get the software for linux mostly free our virus scanners and system checkers can be downloaded for nothing. What is to stop the distributers of this software enclosing code that acts detrimentally towards the user. Unless you check every line of code it would be impossible to know what some pieces of software contain.


The fact that lots of people have access to the code, and can quickly examine what is in the code.

acraigon wrote:I guess windows operating systems could contain code that is dodgy but as you pay for this it is in the interest of microsoft to make sure the product is safe.


Not really, Microsoft relies on IT Managers having the mantra "Must stay up to date to stay secure". Upgrading from Exchange 2000 to 2003 is serious money, money that Microsoft can happily bank.

acraigon wrote:Peoples identities are being stolen daily is Linux as secure as we all think?


Try with your favourite p2p client searching for files such as .fetchmailrc .wab. You'll see that badly configured software is realitively easy to exploit.
CJLL
LXF regular
 
Posts: 193
Joined: Sat Jul 09, 2005 9:22 pm

RE: Re: Linux Security

Postby Me » Mon Oct 24, 2005 7:13 pm

Talking of security, would the free programe Zone Alarm not fit the bill. I assume that Zone Alarm is compatable with Linux yes?
Me
 
Posts: 8
Joined: Sat Oct 22, 2005 9:06 pm

Re: RE: Re: Linux Security

Postby guy » Mon Oct 24, 2005 7:34 pm

Me wrote:Talking of security, would the free programe Zone Alarm not fit the bill. I assume that Zone Alarm is compatable with Linux yes?

No. Linux has other solutions.
See for example this thread on linuxforums.org
Cheers,
Guy
The eternal help vampire
User avatar
guy
LXF regular
 
Posts: 1086
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

RE: Re: RE: Re: Linux Security

Postby Me » Tue Oct 25, 2005 8:42 pm

Thanks Guy, will do.
Me
 
Posts: 8
Joined: Sat Oct 22, 2005 9:06 pm


Return to Discussion

Who is online

Users browsing this forum: No registered users and 0 guests