On 3/31/06, Daniel Bauer <linux@daniel-bauer.com> wrote:
Am Donnerstag, 30. März 2006 23:35 schrieb Andre Truter:
If a java app gets compromised, it will only effect the user.
Sorry, I don't really get that point: "it will only effect the user". *I* am the user and it's exactly me whom I don't want to be affected.
The point is not that it is OK if you cet compromised, but the point was that if you get compromised on Windows, your whole system is in trouble, while on Linux, only the user is.
To make it clear: as a non-professional "just-user" of a PC it's no comfort that "only the user" can be affected, because in case of an attack I will not be happy, when I can say: "Oh, only my stuff is gone - but the system still feels fine - Yippee!"
Hehe, yes. You can still restore you backups and carry on. The thing is not that an attack is justified, but if you do get attacked, the damage is limited. Remember that Linux is a true multi-user system. Even if you are using it as a home PC and you are the only user, the system is still a multi-user system. You have a number of ssytem users running on the machine. Not real people, but according to the system, all are users.
But on the other hand: what's against it, if you get noticed when a program wants to call outside?
First question: Why do you want to be notified of this? What is the reasoning behind this user request?
... On Linux you should NOT focus on a tool that can tell you that you HAVE ALREADY been compromised.
[...]
...and about "HAVE ALREADY been compromised": ok, but then it's still better to find out by a warning than not to find out at all, don't you think so too? And, what exactly means "beeing compromised"? I, for example, just don't want Acrobat to call home (in fact I don't even know, if it does on Linux; it does on W if you don't stop it with z.a. or similar). I want to be able to block things like that easily whithout an university degree in firewalling.
I don't have anything against the ZoneAlarm type functionality apart from the fact that it draws your atention away from the real threats. If you want such functionality, then ask the ZoneAlarm people to port it, or ask someone to write such an application. Fact is that Linux is lacking in security or being primitive because it does not have such a tool, it just does not need such a tool. The orignal poster suggested that Linux is primitive because it does not have this and I am saying that it is not because the tools that protect you from the real threats are quite mature on Linux.
No, not silent failure, but silent protection. A firewall is not there to tell you what is trying to go where, it's main purpose is to prevent thngs from going through it.
I think "firewall" and the discussed zone-alarm feature of warnings for outgoing calls are two different things. If you set up a Linux-PC (well, I know only SUSE...), you might be more secure than on W, but it is still possible, that you download or run a program that does things you don't want it to.
AppArmour and your anti-rootkit software should help you here Of course it would be best, to use only secure, trusted software, but
how should an average fool (like me) decide, what is secure, whom schould I trust, whom not? In reality people just download programs if they think, they'd like to have it. Then it's just nice if you can be sure, that this program cannot connect to the internet without your explicit permission.
By using the appropriate tools mentioned above, you should never get to the point where you need this type of functionality. I still don't see much need for an application that lets you interactively block access from inside to outside, except if you don't want Acrobat to phone home. But if that is something that will make people happy, they are free to create such an application. Fact is still that the lack of such an application does NOT make Linux primitive or insecure, as that is not where the security issues are. The only usefulness such a tool will have to to allow you te prevent Acrobat (or what ever) application from acessing the net. But I don't see this as a security issue, it is just a user preference issue. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~