Am Freitag, 31. März 2006 10:20 schrieb Andre Truter:
If a java app gets compromised, it will only effect the user.
Sorry, I don't really get that point: "it will only effect the user". *I* am the user and it's exactly me whom I don't want to be affected.
The point is not that it is OK if you cet compromised, but the point was that if you get compromised on Windows, your whole system is in trouble, while on Linux, only the user is.
ok, got that. Anyway, on W you don't need a virus or worm to get compromised - windows is so-to-say "self-compromising" :-)
...
But on the other hand: what's against it, if you get noticed when a program wants to call outside?
First question: Why do you want to be notified of this? What is the reasoning behind this user request?
Well that's easy to say: I want my privacy to be respected. I don't want a music company to know which CD's I listen to, I don't want Hollywood to know, what moovie I'm looking at, I don't want to give my e-mail contacts to a spam company, I don't want any program telling it's developer or company automatically, that I am using it... and so on. To use a picture: If you are responsible for a kindergarden you will make sure that no "bad guys" come in, but you also want to make sure that no child runs out the door to the street. So having somebody watching who is going in _and_ out, wouldn't be a bad idea. Of course nobody should feel secure only because the door is monitored, it's just a (small) _part_ of the security. You'll also need fire extinguishers, medicine chest, a phone to call for help...
... On Linux you should NOT focus on a tool that can tell you that you HAVE ALREADY been compromised.
[...]
...and about "HAVE ALREADY been compromised": ok, but then it's still better to find out by a warning than not to find out at all, don't you think so too? And, what exactly means "beeing compromised"? I, for example, just don't want Acrobat to call home (in fact I don't even know, if it does on Linux; it does on W if you don't stop it with z.a. or similar). I want to be able to block things like that easily whithout an university degree in firewalling.
I don't have anything against the ZoneAlarm type functionality apart from the fact that it draws your atention away from the real threats.
If you want such functionality, then ask the ZoneAlarm people to port it, or ask someone to write such an application.
I wouldn't. I have read things about ZoneAlarm that don't make it very credible. I don't want to propagate z.a., it's just this one feature (warnings, easy blocking internet-access of programs) that I'd like to have in Linux, too. But I agree, that I'm far away of knowing, if such a "warn-application" is useful or useless on Linux; I'd just like it for the reasons mentioned above...
Fact is that Linux is lacking in security or being primitive because it does not have such a tool, it just does not need such a tool.
The orignal poster suggested that Linux is primitive because it does not have this and I am saying that it is not because the tools that protect you from the real threats are quite mature on Linux.
Of course Linux is _not_ primitive at all. No system is primitive just because of the lack (if it is a lack then) of one feature. If you want this word to be used I'd call W primitive - if you compare it to Mac for example. But this if off-topic anyway.
No, not silent failure, but silent protection. A firewall is not there to tell you what is trying to go where, it's main purpose is to prevent thngs from going through it.
I think "firewall" and the discussed zone-alarm feature of warnings for outgoing calls are two different things. If you set up a Linux-PC (well, I know only SUSE...), you might be more secure than on W, but it is still possible, that you download or run a program that does things you don't want it to.
AppArmour and your anti-rootkit software should help you here
Yeah, I'd have to learn about that. I just was held off using AppArmour by reading it's descriptions, which I simply don't understand. Maybe I will one day - but untill that day, I'd like to have something easier, you know, just click-click... ;-) I installed chkrootkit, but I never used it till now. Yast says: "However, it is always recommended that this program be used from a rescue system or a system with a similar purpose." So, will it damage something, when I run it, or what else is this sentence trying to tell me? Must I make a "rescue system" to use it, and if, how? You see, those are the issues that people coming form such a primitive system like W simply don't get a grip on so easily...
...
I still don't see much need for an application that lets you interactively block access from inside to outside, except if you don't want Acrobat to phone home. But if that is something that will make people happy, they are free to create such an application.
I would if I could.
Fact is still that the lack of such an application does NOT make Linux primitive or insecure, as that is not where the security issues are. The only usefulness such a tool will have to to allow you te prevent Acrobat (or what ever) application from acessing the net. But I don't see this as a security issue, it is just a user preference issue.
Ok, I guess you know much much more about this topic than I do, so I simply believe what you say (does this make my system insecure? ;-) ). Let's call it a user preference issue. An issue I'd really welcome, although I know, it probably wouldn't prevent a "bad" program using a door to the outside world thru using another program to which I allowed connecting... Daniel -- Daniel Bauer photographer Basel Switzerland professional photography: http://www.daniel-bauer.com special interest site: http://www.bauer-nudes.com