On Friday 10 March 2006 18:05, Daniel Bauer wrote:

As much as I understand it (and I don't understand very much :-) ) the SUSE-firewall doesn't care abaout which application is using a specific port, so in my opinion it could easily be possible for a maleficent program to get an internet connection.

maleficient? Please tell me you got that from babelfish :) Yes it's easy for a program to get internet access in linux, SuSEfirewall2 won't block outgoing connections by default. If you worry about these things, you might want to look at AppArmor, which is included by default in 10.0 and can block much more than just network access zonealarm isn't exactly the solution. It's not too difficult to defeat, so the only thing you get from it is a false sense of security. If you're worried about outgoing connections, the only real solution is to only run software you trust. -- Certified: Yes. Certifiable: of course! jabber ID: anders@rydsbo.net

On Sunday 12 March 2006 21:43, Peter Van Lone wrote:

On 3/12/06, Anders Johansson <andjoh@rydsbo.net> wrote:

...

maleficient? Please tell me you got that from babelfish :)

http://www.thefreedictionary.com/dict.asp?Word=maleficient

I know what it means, but it's not exactly in common usage now is it :) -- Certified: Yes. Certifiable: of course! jabber ID: anders@rydsbo.net

On Sun, 2006-03-12 at 21:36 +0100, Anders Johansson wrote:

On Friday 10 March 2006 18:05, Daniel Bauer wrote:

...

As much as I understand it (and I don't understand very much :-) ) the SUSE-firewall doesn't care abaout which application is using a specific port, so in my opinion it could easily be possible for a maleficent program to get an internet connection.

maleficient? Please tell me you got that from babelfish :)

Yes it's easy for a program to get internet access in linux, SuSEfirewall2 won't block outgoing connections by default. If you worry about these things, you might want to look at AppArmor, which is included by default in 10.0 and can block much more than just network access

zonealarm isn't exactly the solution. It's not too difficult to defeat, so the only thing you get from it is a false sense of security. If you're worried about outgoing connections, the only real solution is to only run software you trust.

http://www.theinquirer.net/?article=29157 It seems an appropriate segue given your assessment of the product.

Am Sonntag, 12. März 2006 21:36 schrieb Anders Johansson:

On Friday 10 March 2006 18:05, Daniel Bauer wrote:

...

As much as I understand it (and I don't understand very much :-) ) the SUSE-firewall doesn't care abaout which application is using a specific port, so in my opinion it could easily be possible for a maleficent program to get an internet connection.

maleficient? Please tell me you got that from babelfish :)

no, from leo.org... ;-) b.t.w. what would be the correct word for what I intended to say?

Yes it's easy for a program to get internet access in linux, SuSEfirewall2 won't block outgoing connections by default. If you worry about these things, you might want to look at AppArmor, which is included by default in 10.0 and can block much more than just network access

zonealarm isn't exactly the solution. It's not too difficult to defeat, so the only thing you get from it is a false sense of security. If you're worried about outgoing connections, the only real solution is to only run software you trust.

Of course, and I guess it's not so easy to install a working program on Linux that was sent to me per e-mail for example, as it is on Win, especially if I receive e-mail as a unser (not as root) and don't open every attachement or html-e-mail. But as a quite stupid user that I am - at least in regard to computer tech :-) - I'd apprecieate if I could somehow close my PC not only from outside-in but also from inside-out and let only pass those programs to which I explicitely give permission. That was, was ZoneAlarm promised to do - and, of course, I am not really surprised to read, that it actually does other things, too. This seems to be quite common in the M$-space and is _one_ of the great advantages of open source software. However I am still interested in learning what other (more skilled) users do to protect their PC's.... ...and forgive me to choose inappropriate words from the list given by leo.org when trying to translate to something near English :-) Daniel -- Daniel Bauer photographer Basel Switzerland professional photography: http://www.daniel-bauer.com special interest site: http://www.bauer-nudes.com

On Monday 13 March 2006 7:03 am, Andre Truter wrote:

Run a firewall like SuSEFirewall.  THe default setup should protect you 10 times better than what you are protected on your Windows box.

You have to take into account that Linux is NOT Windows and it does not work in the same way, This is a true statement. I think that the OP wanted something that would make his transition comfortable.

While Linux is inherently safer, it still has some vulnerabilities. In Windows, one of the ways a virus can attack is by replacing a common application. Additionally, spyware also can easily be installed on Windows. The Zone Alarm strategy is to block outgoing traffic unless specifically approved by the user. The Linux strategy is much more integrated into the kernel since Linux has had firewall code for 10 years. But, it does not hurt to add a Zone Alarm type of firewall to Linux if that is what one wants. -- Jerry Feldman <gaf@blu.org> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9

tend to disagree.  I can write the OP a nice little tool that will do what ZoneAlarm does, monitor outgoing traffic and ask the user when an app wants to connect the outside, but that will only give him a false sense of security, because he is applying Windows tactics to Linux, so he is looking for the problems in the wrong place.

This is my whole point with my rant.  Windows teach us to look out for spyware and viruses, so we apply that to Linux also.  We look for the same type of vulnerabilities, while the system is designed different and has different vulnerabilities.

It is like guarding the door to the stable, while the castle's main gates are wide open.

I think it is better for the OP to rather try and understand what the vulnerabilities in Linux is and to use the appropriate tools for Linux. I don't really disagree with you. One security guy I know uses the slogan "Iron doors and paper windows". However, we also want him to be able to

On Monday 13 March 2006 9:09 am, Andre Truter wrote: transition comfortably. -- Jerry Feldman <gaf@blu.org> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9

Thanks Andre, for informative explanation. Am Montag, 13. März 2006 13:03 schrieb Andre Truter:

On 3/13/06, Daniel Bauer <linux@daniel-bauer.com> wrote:

...

That was, was ZoneAlarm promised to do - and, of course, I am not really surprised to read, that it actually does other things, too. This seems to be quite common in the M$-space and is _one_ of the great advantages of open source software.

However I am still interested in learning what other (more skilled) users do to protect their PC's....

Run a firewall like SuSEFirewall. THe default setup should protect you 10 times better than what you are protected on your Windows box.

I do, also tried services from some webpages (can't remember which one) that tried to find insecure "wholes", but they couldn't even find out, what system I am using... :-)

You have to take into account that Linux is NOT Windows and it does not work in the same way,

this is what we all are very happy about!

therefore you cannot take the same approach towards it than what you are used to on Windows. The fact that Linux gives you similar functionality to what Windows does, does not mean that it works the same way.

I have been running linux systems excusively since 2001 and I only set up my FIrewall. Have never had any problems. I can see the bastards atacking my machines, but they don't come through. I do monitor my logs on a regular basis.

I enable logdigest on my servers that are connected to the net and I configure it to mail me every hour, so I can see relatively quickly if something goes wrong.

I'll have to find out what "logdigest" is, sounds interesting

If you are really woried about your own machine turning on you and 'phoning home' or something, then I would suggest that you look at AppArmour to make sure only authorised applications can run on the machine. But I only see this as valuable when you have other users also using your system.

I think so too - and probably setting up AppArmour is a bit too complicated with the knowledge I have so far...

Then, you can also run tools like chkrootkit to make sure somebody did not install a rootkit on your machine.

I've installed chkrootkit, just out of curiosity, but I'm gonna search google about it first, because Yast says, I'd better run this from a security system than from the running system... However, on Win I "installed" a rootkit once just by inserting an *legally bought* Sony-Music-CD (last time in my life, I bought a music CD!) - and I have no idea if something like that could happen with Linux, too, because big companies absolutely do not respect my privacy and have a lot of criminal energy and resources, for sure...

The Windows phenomena has managed to create a false understanding of how computers work. Take the whole virus thing for instance. Most people think that virus protection is part of every computer, but the truth is that viruses are mainly a Microsoft thing. Other operating systems has been designed in such a way that it is very difficult for a virus to live on it. Now the problem is that anti-virus companies are trying to cash in

I have never run a anti-virus program on Windows, because I thought this is only money-making. As I did not use Outlook, but Eudora, turned html-view and automatic downloading off and only opened attachements I knew what they are. I never had any problems.

on Linux also, by trying to convince people that they need anti-virus software for Linux also. What they are doing is that they are actually creating a false sense of security under Linux newbies, because they are taking the focus off the real points of attack against Linux and UNIX systems. Becasue the design is different from Windows, you should look rather at physical attacks from outside than looking at viruses and spyware doing stuff from inside. If you have a Linux system that has been compromised with spyware or a virus, then you have muxh bigger problems, because for that to happen, your system are open to the whole wide world and anybody can come it.

Rather focus on a good firewall, blocking connection attempts from outside, good passwords, check your log files and look for rootkits.

THat would be my advice.

PS: Sorry for the long post, but I tend to get carried away on these subjects, because I feel people are getting a false sense of security because they treat linux like Windows and do not focus on the correct areas...

Glad to receive "long explanations", because I often just don't understand pure "programmer slang", and I guess I'm not the only one. So thanks again. Daniel

-- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za

~ A dinosaur is a salamander designed to Mil Spec ~

-- Daniel Bauer photographer Basel Switzerland professional photography: http://www.daniel-bauer.com special interest site: http://www.bauer-nudes.com

On 3/13/06, Daniel Bauer <linux@daniel-bauer.com> wrote:

However, on Win I "installed" a rootkit once just by inserting an *legally bought* Sony-Music-CD (last time in my life, I bought a music CD!) - and I have no idea if something like that could happen with Linux, too, because big companies absolutely do not respect my privacy and have a lot of criminal energy and resources, for sure...

Now this is where Windows and Linux differs. In order for something like this to happen on Linux, you need to insert the CD, then log in as root user on your machine, then mount the CD and then run the rootkit installer from the CD. So, you basically need to install the rootkit yourself. Someone can install a rootkit on your machine over the network, by exploiting a known vulnerability of a specific piece of software on your machine, but they need to be able to connect to a port on your machine from outside (That is where the firewall comes in) So, let's say for example that the telnetd program has a vulnerability. Now the vulnerability will only exist in a specific version or range of versions of the telnetd program and it is normally patched soon after the vulnerability has been discovered. But let's say that you do not update your machine regularly and you are running an old version of telnetd that still has the vulnerability. Telnetd listens on port 23 on your machine. So, Mr CR Acker is scanning for machines with port 23 open and discovers yours. He then runs a script that will contact your machine and access port 23 and then send a certain command to that port. The command (or stream of data) is designed to exploit the vulnerability in your version of telnetd. It works and your telnetd cracks up and allows Mr Acker to access your machine as root user via the telnet port. So he uploads his rootkit and installs it. I am not a security expert, but as far as I know, this is basically how a UNIX/Linux system can be compromised. The experts can correct me and or expand a bit on it. So, you can see that to get malicious software onto a Linux box requires that a number of things needs to be in place: 1) You need to have the correct version of the vulnerable software installed. 2) The vulnerable software needs to be running and listening on an Internet port 3) Your firewall have to allow access to that port from outside. Taking into account that most vulnerabilities on OSS software are detected and fixed by the community or developers long before Mr CR Acker does, and you need to have your firewall set up to allow access to the application, you can see that it is quite difficult to get into a box that is properly maintained. The attacker also needs to get root access to your machine to do any real harm. There are a lot of other design issues that makes Linux very virus-unfriendly. It is also very un likely that you can get a rootkit or any malicious software installed by just inserting a CD, as Linux systems normally do not run anything on a CD by itself. KDE and GNOME do have the capability to do so, if it is set up to do it, but then it is run as a normal user and not root (except if the user is stupid enough to run a desktop as root and in that case he/she deserves what they get)

I have never run a anti-virus program on Windows, because I thought this is only money-making. As I did not use Outlook, but Eudora, turned html-view and automatic downloading off and only opened attachements I knew what they are. I never had any problems.

The strategy of not using Outlook and IE is good. I think most of the virus problems are caused and sustained by those two apps.. Fortunately wwe do not have them on Linux. :-) To come back to the ZoneAlarm thing. I have gkrellm running on all my desktops, so I can always see what the CPU, network and disk usage is (together with a number of other things). I can immediately see if my network, CPU or disk usage is not what I expect it to be and then I use tools like ps and netstat to see what is doing stuff on my machine that I do not expect. I suppose this is my way of doing what ZoneAlarm is doing. I just approach it from a UNIX perspective. :-) -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~

Am Dienstag, 14. März 2006 09:28 schrieb Susemail:

I'd like to get gkrellm running on my Suse 10.0 system. So I downloaded gkrellm-2.2.5.tar.gz untared it and ran 'make', following the install instructions and got this error as user and root:

Why don't you just use Yast to install a rpm? I have gkrellm 2.2.7-2 istalled and running without any problems... Daniel -- Daniel Bauer photographer Basel Switzerland professional photography: http://www.daniel-bauer.com special interest site: http://www.bauer-nudes.com

Am Mittwoch, 15. März 2006 04:59 schrieb Susemail:

...

Why don't you just use Yast to install a rpm? I have gkrellm 2.2.7-2 istalled and running without any problems...

I tried Yast first. I got "No Results". What installation source are you using? Jerome

packman.iu-bremen.de/suse/10.0/ ftp.uni-erlangen.de/pub/Linux/MIRROR.suse/pub/suse/i386/supplementary/KDE/update_for_10.0/yast-source/ ftp.uni-erlangen.de/mirrors/opensuse/distribution/SL-10.0-OSS/inst-source/ ftp.uni-erlangen.de/mirrors/opensuse/distribution/SL-10.0-OSS/inst-source-java/ ftp.uni-erlangen.de/mirrors/suse/pub/suse/i386/10.0/SUSE-Linux10.0-GM-Extra/ I am sorry, but I don't know from which one of these sources the gkrellm rpm comes... When I switch each one of these individually to "on" and the others to "off" (as installation source), I don't see an available version of gkrellm in Yast, too. *) But when I switch all of these sources to "on" gkrellm is there: available version 2.2.7-2. *) Don't know if I did something wrong, when setting these sources individually to on or off, didn't have much time, though. But at least I can confirm that gkrellm is there when I use all those sources together... Daniel -- Daniel Bauer photographer Basel Switzerland professional photography: http://www.daniel-bauer.com special interest site: http://www.bauer-nudes.com

On Tuesday 14 March 2006 09:28, Susemail wrote:

Is 'make' trying to make configure.h here?

Yes

Why is permission denied--even as root?

Most likely because the partition where you have /home is mounted with the 'noexec' flag, which disallows any programs from being executed on it. Edit /etc/fstab to remove it, and either remount /home or reboot

What does execvp mean?

execute a program, sending it an array of variables, and using $PATH to search for the program. It just means make is trying to run a program, in this case 'configure' -- Certified: Yes. Certifiable: of course! jabber ID: anders@rydsbo.net

On Wednesday 15 March 2006 00:26, Susemail wrote:

Here is the relevant line: /dev/hda3 /home auto defaults,user 0 0

I don't know how to check if 'defaults' includes the 'noexec' flag or how to remove it if it does.

'defaults' doesn't, but 'user' does. Just change that from defaults,user to just defaults and everything should be fine again. -- Certified: Yes. Certifiable: of course! jabber ID: anders@rydsbo.net

On Friday 17 March 2006 03:55, Susemail wrote:

I changed the line: /dev/hda3 /home auto defaults 0 0

but still the same result:

Did you reboot afterwards? -- Certified: Yes. Certifiable: of course! jabber ID: anders@rydsbo.net

Someone wrote:

Run a firewall like SuSEFirewall. THe default setup should protect you 10 times better than what you are protected on your Windows box.

I enable logdigest on my servers that are connected to the net and I configure it to mail me every hour, so I can see relatively quickly if something goes wrong.

---- The above says it all: instead of having an interactive tool that requires the interactive user's permission, most Linux users have to rely on a "log file" -- that _retrospectively_ will tell you what has happened on your box. It doesn't allow you to permit/deny traffic in real time, nor does it allow real-time interactive firewall rule construction based on usage. It isn't about the relative strengths of security but about real-time interactivity. Linux is poor in real-time, interactive controls and monitoring. I find the discussion about how the user should or shouldn't be doing things amusing -- i.e. "Dear ex-windows user: um, we don't have the features and abilities you want, so we want to educate you on what you think you should want and give you lots of reasons why what you want doesn't really protect you (which is what we wanted to tell you what you really wanted)." Bleh! *Differences of Win vs. Linux Security model* There is a fundamental difference in the security model and tools available for windows and for linux. With Windows, you only have the concept of one active user at the desktop -- and that user usually "owns" the computer and usually has that computer to themselves. Such a design isn't where Linux has come from. Linux is descended (in thought and design concept) from unix -- which was designed for multi-user computer sharing -- usually with no one at the console. It wasn't designed for attended monitoring 24x7, whereas Windows is designed from the point of the "single-user", who is usually in attendance when the computer is being used. In the Windows philosophy of _past_, nothing should happen on your computer unless you "instigate it". NOTE: there is a difference between the historic use of 1-windows user/computer and later editions of Windows used as a server. Even Windows as a server isn't designed as *nix has been. Multi-user *nix was the norm and it has been adapted for single-user use. With windows, it is the opposite -- it was designed for solo, non-networked use and has been adapted for network use. Everything about Windows was designed for "interoperability" with other Windows computers in a "non-threat" environment. *nix was designed for separating users to allow multiple "academics" to share information, but still keep them separate. It heralds back to "Multics" that was designed with security in mind in the 1960's, but I digress. Windows in its current incarnation (XP as version 5.1 of "NT") is similar in design to many current *nix implementations. NT was _supposedly_ descended from mainframe OS principles. Like *nix, NT supports multiple users. Like *nix NT supports levels of privileged code. NT has superior security features to many *nix implementations, however, it's insecure by *configuration*. NT (as used for Windows XP sold for individual computers) is still configured for compatibility with the older, single-user Win9x systems. It is the default configuration for usability and compatibility that makes WinNT based systems less secure than their *nix counterparts. Most NT applications require "root access" to install. Many NT applications install system drivers as part of their typical install. At least WinNT has the concept of 2 driver privilege levels: Ring 0 & Ring 1 (which is different from user processes that operate at Ring 3). Few, if any *nix systems use more than the 2-ring security model. Single process capabilities have been present in NT since it's 4.x days -- likely 3.x (though I had no experience w/such). Linux had process capabilities so screwed up that they were complete disabled in 2.2.16 (~2000) as a critical security flaw because the implementors and reviewers of capabilities in linux, /at the time/, had a fundamental lack of understanding of how they should work. One of the worst offenders is *non-system software* -- _games_ in Windows. How many games try to install "copy-protection" into a user's computer by attempting direct access to the hardware and/or by installing specialized drivers? Such applications are uncommon in *nix. In historic *nix systems, users _couldn't_ install applications requiring direct-hardware access. I could go on for ever on the differences in design, but suffice it to say: if the linux desktop "shell" required constant "root access" to install and run hardware, and if it provided all of the "automatic" features of Win XP, it would be just as insecure (perhaps more so) as Windows. To get back to the Original Poster's article -- and some people's claim that *nix doesn't provide real-time monitoring and permission grants to interactive users only shows the lack of flexibility of the *nix model. Some claim it would be "possible to provide the same functionality in *nix". I challenge you to do so with the same constraints on easy of install and control for what ever user is using the desktop. It won't be easy: You will have to: 1) identify what process is attempting unauthorized access. (remember, the process may be owned by any user -- not just the "logged in user). 2) display a high priority popup on the ... well...who? The primary console user's terminal? What if someone is running "Citrix" or logged in via Terminal Services? Who gets the message? In Windows, it is the console user. 3) Allow the Console user to decide if the "arbitrary process" (good chance it isn't owned by the user) should be granted the appropriate access. Same with incoming connections -- they are probably going into some "system process" (response to "bind/dns", incoming "email" handled by sendmail, etc). 4) Allow the "unprivileged" user to decide on network access for some non-user owned (likely, system level) process. Ex. I just use a browser to look at a site. Say it is configured to use a proxy (squid). I see a message that squid wants an outside line. Do I allow it? Is it my browser? If I do allow it, squid is allowed for all users and all processes -- it isn't just my browsing. Suppose I choose to allow it - some firewall rule (running with system privileges) needs to be modified. This means my "interactive popup" is allowed to modify system firewall tables? That breaks the fundamental user-superuser separation on *nix. 5) To modify firewall rules, the user must (at least temporarily) be running with system (root) privileges. You've violated *nix's main protection. 6) If the *nix system is running "X", more than one user may be running a console session. How will you trace what "outgoing connection attempt" is related to which user (if any). How will these users decide on which non-user utils get access? Bottom line: I submit that you can't require instantaneous user interaction on *nix and have the system function "normally". Most network activity on a *nix system happens on *behalf* of a user -- maybe no specific user, but just as part of making the *nix system responsive and robust. You can't provide something as convenient as "ZoneAlarm" on Linux without _alot_ of work and a violation of the *nix system design. If you create the support structure necessary to support such "automation", including the ability to click on mail attachments like ".pdf" and have them auto-open acrobat, you create the same opportunity for "holes" in *nix as in WinNT bases systems. Do you need more examples? Note -- manual, human-based *logfile review* is _unacceptable_. It is _reactive_, time consuming and error prone. In the one-hour between being mailed "logs", a well qualified hacker could be in, plant a trojan and clean up the logs to remove a trace of their being there. If you have to sleep or go on a vacation for any number of days, you have even less responsiveness to intrusions. Sorry, but in my opinion, Linux is considerably more lacking in real-time, interactive security response tools that talk to the active user. In the absence of a real-time, at the console user, traffic is *blocked*. This is very *untrue* for the average *nix system, where systems are expected to run "unattended". None of this should be taken to mean that Linux, as used today is less secure than Windows -- but it easily could be if it was _configured_ to be as easily interoperable as WinNP is (by requirement of legacy compatibility) to be. It should be noted that the main hindrance to good security is _usability_. The less usable a security system is, the more likely users are to find a way to work around it. The presence of an easy-to-use, interactive, graphical firewall configuration tool that allows real-time monitoring and feedback -- so a user can see that if an application wants web access, they get immediate prompting that tells them the application is attempting network access, informs them what application(s) are attempting what type of internet access. Post examination of log files doesn't provide that type of interactive training. FYI -- I do have linux log files that show me blocked outgoing firewall traffic. It isn't uncommon to see applications (running on Windows through a linux proxy server) to simply and mysteriously "not work". It's only later, if I examine log files and remember what I was doing at the time, do i find that I couldn't watch some "video" because my firewall blocked outgoing ports by my "http-proxy" (squid) to some site. It is rare that I know why the application(s) failed at the time they fail -- there is no interactive message to tell me that a forbidden network traffic type is being automatically blocked. That is way less usable (and useful) than having a popup instantly tell me that my attempt to play some video is accessing some weird port, that isn't in the normal video port range. It's even less easy to "temporarily" allow one specific traffic request through. I.e. - on linux, I'd have to add some firewall rule, go back and run my app, then re-edit the firewall rule to remove the temporary access. **Very** inconvenient. That's not my idea of _usable_ security. Ms. Linda Walsh

On 3/21/06, Linda Walsh <suse@tlinx.org> wrote: [...]

It isn't about the relative strengths of security but about real-time interactivity. Linux is poor in real-time, interactive controls and monitoring.

I disagree. If you tail the log file, you can immediately see what is going on in realtime. What I would agree to is that I don't know of any graphical tools that will show this information to you. What would be handy is a tool that parses the log file or listens for notifications and then show important messages in a display. It should also filter the messages so that you don't get flooded with messages. This is something that can be done relatively easy, but I think the main reason why it has not been done is because the focus of Linux security has been mainly server based, due to the design of the system.

I find the discussion about how the user should or shouldn't be doing things amusing -- i.e. "Dear ex-windows user: um, we don't have the features and abilities you want, so we want to educate you on what you think you should want and give you lots of reasons why what you want doesn't really protect you (which is what we wanted to tell you what you really wanted)." Bleh!

I think you are misunderstanding the thread (or at least my part of the thread). It is not about telling the user that Linux lack the features, etc, it is about getting the user to focus on the right place. It has no value creating tools that make Linux act like Windows if it is misleading the user in the process. The problem is that the bigger threat on a Linux system is not viruses and spyware trying to get outside access, but crackers trying to get access from outside. So, what is the use of giving a user a nice app that acts like a Windows tool, by reporting all outgoing attempts and by doing so, the newbie is focussing on non-existing viruses, while he/she never realise that they are being hacked to pieces. I suggest to rather educate the user to understand the differences in security issues and introduce the user to the appropriate tools, rather than to give the user a false sense of security. [...]

Some claim it would be "possible to provide the same functionality in *nix". I challenge you to do so with the same constraints on easy of install and control for what ever user is using the desktop. It won't be easy:

You will have to:

1) identify what process is attempting unauthorized access. (remember, the process may be owned by any user -- not just the "logged in user).

Yes, with netstat and ps you can determine which process is using a port and who ownes the process.

2) display a high priority popup on the ... well...who? The primary console user's terminal? What if someone is running "Citrix" or logged in via Terminal Services? Who gets the message? In Windows, it is the console user.

Well, the user that has the monitoring tool running. On a sever system it would be the Sys Admin and on a normal desktop it would the the owner of the system. [...] (snipped rest to make mail shorter) The rest of the comments is mixing single-user scenarios with a server scenario and it is assuming that it is important to know who and what is trying to make outbound connections. First, we need to look at single user/server scenarios. Single user scenario: lets say we do think it is important to monitor outgoing connections, then it would only make sense to show each user his/her own connection attempts (applications run by the user that try to establish an outside connection) If you start to look at system processes that initiate access then you move into the server arena. If you run a firewall/gateway/proxy, then you normally don't have a person sitting there authorrising access by clicking yes/no on pop-ups. Does a Windows based firewall/gateway do this? I can just imagine the poor firewall administrator at Microsoft having to authorise each user's attempts to access the web or send mail. Imagine how slow the internet access would be. Now, if you look at your server, you configure your firewalls, proxies, etc to allow certain types of access (inside or out). You should in any case not have normal users working on a firewall. [...]

as part of making the *nix system responsive and robust. You can't provide something as convenient as "ZoneAlarm" on Linux without _alot_ of work and a violation of the *nix system design.

The question is: Why do you want the "ZoneAlarm" functionality on a Linux system? Your problem is not applications trying to access the internet from inside. Your focus areas are access attempts from outside (firewall handles that) and somone breaking into your system and installing a rootkit. (firewall, intrusion detection and checkrootkit) If someone installed a rootkit, then a 'ZoneAlarm' clone will not help much as you can tunnel over port 80 or something. If someone managed to get the level of access to your system to install a rootkit, then they can do basically anything on your system and you are screwed. So, first line of defence is firewall blocking unathorised access. Second line of defence is intrusion detection, like snort. Then, you can also chek for rootkits and unexpected changes in files.

If you create the support structure necessary to support such "automation", including the ability to click on mail attachments like ".pdf" and have them auto-open acrobat, you create the same opportunity for "holes" in *nix as in WinNT bases systems. Do you need more examples?

No, not exactly true. First, a pdf document (or any attachement) will not be executed, so how can it compromise your system? The only way is if there is a vulnerability in acrobat reader or the application you use to open a file with. You cannot 'fool' a *nix system into executing something or opening it with the wrong application by changing the extention, because it looks at the contents of a file to determine it's type and the file has to have executable bit set. Then, if you do manage to get something to execute, it can only do damage to the extent of the priveledges of the user running it, which should not allow it to install anything or damage the system, else something is wrong with the user's privelidges.

Note -- manual, human-based *logfile review* is _unacceptable_. It is _reactive_, time consuming and error prone. In the one-hour between being mailed "logs", a well qualified hacker could be in, plant a trojan and clean up the logs to remove a trace of their being there. If you have to sleep or go on a vacation for any number of days, you have even less responsiveness to intrusions.

If you want an interactive view of what is going on with your network traffic, you can use ethereal to see in realtime exactly what traffic is going where. There are some other tools available to give you an interactive view on your network activity, but the problem is that you cannot sit and watch all the traffic activity and expect to pick up when someone try to attack you. You need intrusion detection software like snort to highlight possible attacks. Look at a tool like sguil (http://sguil.sourceforge.net/), it is a graphical user interface to snort and other tools. It gives a realtime view of possible issues. I actually just stumbled onto squil, but I think it might be exactly the tool that you need. It is in my opinion the 'ZoneAlarm' for *nix. PS: I found another GUI: Razorback (http://www.intersectalliance.com/projects/RazorBack/) -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~

On 3/22/06, Linda Walsh <suse@tlinx.org> wrote:

On my system, for example, no browser (IE, firefox, opera) is able to run javascript or java from any site, unless I have explictly permitted that site through my web-filter. I don't have to worry about visiting some random website that will exploit the latest java[script] or activeX bug -- they are all blocked.

OK, Linux don't have things like ActiveX and Javascript can be controlled with the different browsers themselves. FireFox lets you enable or disable javascript and you can tell it to only allow javascript from certain sites. If I wished to configure it, each time my "firewall" detected incoming

javascript from a website, it could popup a question to ask if I wished to let

How does a firewall detect incoming javascript? I suppose the only way to do this is to inspect each HTML file passing through and look for the javascript headers. AFAIK, IPCop has a plugin that allow things like that.

the javascript through (using a previously built-up "whitelist" of previously approved websites). Barring corruption of "trusted websites", I don't have to worry about downloading trojan script-code.

Firefox does this on Linux. I don't have to run an

"intrusion [virus] detection program". It doesn't get that far.

Ummm.. Intrusion Detection systems have nothing to do with viruses. Intrusion detection systems monitors incoming connections and prevent and warn possible breakin attempts. (where the real threat is on linux) Go and read up on snort, it seems to be exactly what you need.

Because I can block all network access in or out of my machine on my Windows box, I feel it is more secure than my linux box -- because on linux, something could have snuck-in via a corrupt binary or downloaded patch and I wouldn't know about it for days or longer depending on how well the evidence was buried in a log file.

First: You can set up your linux firewall to also block both incoming and outgoing traffic. In fact, I can set up my Linux firewall in such a way that my network connection becomes totally inefective. It is as if the network card does not work at all. No traffic flowing. Secondly: How can something sneek in via a corrupt binary via a firewall? You have to download in and install it. How does ZoneAlarm protect you against that? On Linux you have tools like checkrootkit, etc that inspect every file on your system and immediately lets you know if the file was tampered with. AppArmour is also a tool that will let you know immediately if files are acessed without permission. It prevents the access and then notifies you. So it is pro-active.

The main reason windows has more security problems than linux is because the defaults on windows-applications are designed for ease of use *over* security. It is often a trade-off. But linux provides *SO MUCH* logging about everything, that it's hard to sort through _everything_ to see what is important. At the very least, custom scripts and filtering are required and that right there puts it beyond most users (like my mom, etc...).

Well, the idea is that the normal user should not need to worry about security. Linux has been designed in such a way that it looks after itself. You don't need to monitor the security systems. But, I think you need to have a look at squil and snort, as that is basically what you want. It will notify you immediately of any suspect activity on your ports. It does not read log files, it acts the moment the activity is happening on the port, so it is rather pro-active than re-active. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~

Andre Truter wrote:

OK, Linux don't have things like ActiveX and Javascript can be controlled with the different browsers themselves.

That's the point -- those technologies aren't built into the Window\ manager on Linux. If you ported "Explorer" to Linux, "Linux" could be infected with the same viruses as Windows. It's the desktop and the automated MS applications that allow virii in.

FireFox lets you enable or disable javascript and you can tell it to only allow javascript from certain sites.

FF is an agnostic technology. It functions the same on Windows as on Linux. You are making my point. Choose better applications on Windows and you'll reduce your security-liability footprint.

How does a firewall detect incoming javascript?

Many firewall products have this feature. A firewall product sits on the boundary between "out there" and your system. In order for HTTP protocol to be passed "in", it has to go through a firewall. The Firewall simply does "deep inspection". Hardware firewall products (Juniper, et al) have this feature. So do some software firewall products.

...

the javascript through (using a previously built-up "whitelist" of previously approved websites). Barring corruption of "trusted websites", I don't have to worry about downloading trojan script-code.

Firefox does this on Linux.

Firefox does this. Period. It does it on Windows as well. One of the easier ways of reducing your security profile on Windows: switch to FireFox and T-bird. Neither has to do with the underlying security of the OS.

I don't have to run an

...

"intrusion [virus] detection program". It doesn't get that far.

Ummm.. Intrusion Detection systems have nothing to do with viruses.

---- That's where you are mistaken. I listed virus in brackets because that's what a virus is -- it is an intrusion of an outside program that has been run in some "privileged" mode such that it has installed portions of itself behind for _possible_ purposes of spreading, or just "owning" the machine. Both intrusion and virus detection software look for signs of altered or corrupt software retrospectively. Good intrusion detection software looks for signatures of known root-kits and infection vectors. About the only thing "virus" detection haws over I.D. is "on-access" scanning -- which is a bit like russian roulette. You hope your virus scanner is up-to-date enough to catch some number of known signatures. On Linux -- people tend more to rely on trusted software sources and gpg-signed binaries. But in both cases "intrusion detection" or virus detection, the scanners scan retrospectively for

Intrusion detection systems monitors incoming connections and prevent and warn possible breakin attempts. (where the real threat is on linux)

How many systems are "owned" linux vs. windows? I'd suggest the total is higher for windows. What's the difference in the intrusion detection you are talking about? You are referring to the singular case where someone is actually behind 1 specific attack on your system instead of it being one of a thousand automatic attack vectors. It makes much more sense for a "intruder-wanna-be" to use multiple viruses and launch 10's - 100's of thousands automated attacks. It's not profitable to waste time attacking 1 system unless you have some specific objective. It's far easier just looking for "easy pickings" -- people who have left their doors "unlocked".

Go and read up on snort, it seems to be exactly what you need. Am already familiar w/it.

...

Because I can block all network access in or out of my machine on my Windows box, I feel it is more secure than my linux box -- because on linux, something could have snuck-in via a corrupt binary or downloaded patch and I wouldn't know about it for days or longer depending on how well the evidence was buried in a log file.

First: You can set up your linux firewall to also block both incoming and outgoing traffic. In fact, I can set up my Linux firewall in such a way that my network connection becomes totally inefective. It is as if the network card does not work at all. No traffic flowing.

Cement-Pro also protects your system. You encase your system in 6-feet of cement. Nothing gets in or out. What's your point?

Secondly: How can something sneek in via a corrupt binary via a firewall? You have to download in and install it. How does ZoneAlarm protect you against that?

Same way as on Linux -- if you download a corrupt binary, you lose. If you run a pre-built RPM or binary on Linux you can suffer the same problems as on Windows. Your linux system will be compromised faster since there are almost no linux-virus detector's for downloaded binaries (RPMs). By a feature of the RPM system -- if you install an RPM, you've already used root, so any software you've installed has complete control over your system.

On Linux you have tools like checkrootkit, etc that inspect every file on your system and immediately lets you know if the file was tampered with.

Is it "on-access"? I don't think so. When you install, it uses "HTTP" to go out onto the net to download instructions -- does a linux system detect what applications are accessing HTTP and to what target system? An application like ZoneAlarm will tell you in real-time -- as soon as outside communication is attempted, that program "address book" is trying to use HTTP to contact "owned-systems.ru". On Linux, you may see an outgoing http log entry to owned-systems.ru, but are you going to know what program accessed it? That information generally isn't in my squid-log. If it is, it's too late -- the access has happened. With the "zone-alarm", the idea is that anytime a program on your "internal computer zone" attempts to cross onto the "internet zone", you get a real-time alarm and get to decide if it is allowed or not based on program name, and destination. In linux firewall rules, you have the destination, but do you have the source program or filename available so you can tell what program is trying to go out on HTTP?

AppArmour is also a tool that will let you know immediately if files are acessed without permission. It prevents the access and then notifies you. So it is pro-active.

How does it detect access? Signatures? Are they checked before every execution? Windows NT has this capability built-in. You can setup the default on Windows to deny every unregistered binary. Only binaries in known system locations can be setup to be allowed execution. If you copy a system binary to an unknown location and try to execute it, it will fail. This is already built-in to WinXP but is rarely used that way. I don't know of any Linux distro that ships with such capabilities built-in and enforced by the OS.

...

The main reason windows has more security problems than linux is because the defaults on windows-applications are designed for ease of use *over* security. It is often a trade-off. But linux provides *SO MUCH* logging about everything, that it's hard to sort through _everything_ to see what is important. At the very least, custom scripts and filtering are required and that right there puts it beyond most users (like my mom, etc...).

Well, the idea is that the normal user should not need to worry about security. Linux has been designed in such a way that it looks after itself. You don't need to monitor the security systems.

That's what you want to believe -- Linux doesnt' provide a real-time alarm system like zone-alarm that pops up graphically to tell the user about each network access. All it provides are log files that let you examine things after the fact. How is that more secure?

But, I think you need to have a look at squil and snort, as that is basically what you want. It will notify you immediately of any suspect activity on your ports.

How will you know it is suspect if it is going out on HTTP or SMTP? Do they permit access based on program and target machine? I'm not familiar with "Squil".

It does not read log files, it acts the moment the activity is happening on the port, so it is rather pro-active than re-active.

If true, then great! You solved the original poster's problem -- it can pop up a graphical UI and ask the user if the traffic is permitted if it doesn't already fall into a permitted class. That's what they wanted -- something that popped up in real time any time traffic not explicitly permitted happened. Perhaps you can instruct the original post on how that works. Personally, I haven't seen that on Linux, but if you have a solution, great! Let's hear it. :-). linda

On 3/22/06, Kevanf1 <kevanf1@gmail.com> wrote:

???? No, Linux cannot be infected with the same viruses (virii if you prefer) as Microsoft operating systems can be. There are some viruses that only affect certain versions of Windows too. A virus could infect Internet Explorer only if it was running in WINE. Once WINE was closed the virus would have nowhere to live/hide. On a Windows system the virus hides away in whatever files the virus writer has chosen. Those files do not exist in the same manner on a Linux system.

Or have I been told wrong all these many times?

Nope, here is an article of a guy that tried really hard to get his Linux box infected http://os.newsforge.com/article.pl?sid=05/01/25/1430222&from=rss -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~

On 3/22/06, Linda Walsh <suse@tlinx.org> wrote:

Andre Truter wrote:

...

OK, Linux don't have things like ActiveX and Javascript can be controlled with the different browsers themselves.

---

That's the point -- those technologies aren't built into the Window\ manager on Linux. If you ported "Explorer" to Linux, "Linux" could be infected with the same viruses as Windows. It's the desktop and the automated MS applications that allow virii in.

Nope, that is wrong. There have been people that have actively tried to install Windows viruses on Linux and the best that a virus could do on Linux was to delete a few of the user's files. It could not survive for long and it could not propagate itself. Due to the design of the system, Linux is very unfriendly environment for a virus.

...

FireFox lets you enable or disable javascript and you can tell it to only allow javascript from certain sites.

---

FF is an agnostic technology. It functions the same on Windows as on Linux. You are making my point. Choose better applications on Windows and you'll reduce your security-liability footprint.

Yes, exactly. You said that ZoneAlarm does this, so I said that you can use FF on Linux to get the same functionality. I know FF does this on Windows too.

...

How does a firewall detect incoming javascript?

---

Many firewall products have this feature. A firewall product sits on the boundary between "out there" and your system. In order for HTTP protocol to be passed "in", it has to go through a firewall. The Firewall simply does "deep inspection". Hardware firewall products (Juniper, et al) have this feature. So do some software firewall products.

Is this not exactly what I said when I mentioned the IPCop plugin?

...

Ummm.. Intrusion Detection systems have nothing to do with viruses.

---- That's where you are mistaken. I listed virus in brackets because that's what a virus is -- it is an intrusion of an outside program that has been run in some "privileged" mode such that it has installed portions of itself behind for _possible_ purposes of spreading, or just "owning" the machine. Both intrusion and virus detection software look for signs of altered or corrupt software retrospectively. Good intrusion detection software looks for signatures of known root-kits and infection vectors.

No, Intrusion detection systems monitors incoming traffic and react to malicious attacks on your ports. It does not check files for signatures, that is what anti-virus does and anti-rootkits. Checking the files for viruses is after the fact. An intrusion detection system prevents anything from reaching your system.

--- How many systems are "owned" linux vs. windows? I'd suggest the total is higher for windows. What's the difference in the intrusion detection you are talking about? You are referring to the singular case where someone is actually behind 1 specific attack on your system instead of it being one of a thousand automatic attack vectors. It makes much more sense for a "intruder-wanna-be" to use multiple viruses and launch 10's - 100's of thousands automated attacks. It's not profitable to waste time attacking 1 system unless you have some specific objective. It's far easier just looking for "easy pickings" -- people who have left their doors "unlocked".

I don't really get your point here. I don't know of a single Linux sytem that has been infected by a virus (that the user did not install on purpose. Linux systems gets "owned" by people exploiting vulnerabilities on a machine that have the vulnerable software listening on an open port. The other way is to physically gain access to the machine, or to convince the root user to install comprimised software. In the last two cases you are dealing with social engineering and something like AppArmour can protect you there. In the forst case, your firewall and IDS can protect you. In neither of the cases is there any use in having a system that tells you that an application tries to access the internet. If you get to that point, you are already screwed. You should use your firewall and AppArmour to make sure you don't get to that point.

---- Cement-Pro also protects your system. You encase your system in 6-feet of cement. Nothing gets in or out. What's your point?

My point is that if you are worried about a compromised application on your Linux system trying to "phone home", then set up your Linux Firewall to block outgoing traffic too.

--- Same way as on Linux -- if you download a corrupt binary, you lose. If you run a pre-built RPM or binary on Linux you can suffer the same problems as on Windows. Your linux system will be compromised faster since there are almost no linux-virus detector's for downloaded binaries (RPMs). By a feature of the RPM system -- if you install an RPM, you've already used root, so any software you've installed has complete control over your system.

That is why you have gpg signature checking built into your package managers. They act as anti-virus software. All built in.

...

On Linux you have tools like checkrootkit, etc that inspect every file on your system and immediately lets you know if the file was tampered with.

---

Is it "on-access"? I don't think so. When you install, it uses "HTTP" to go out onto the net to download instructions -- does a linux system detect what applications are accessing HTTP and to what target system? An application like ZoneAlarm will tell you in real-time -- as soon as outside communication is attempted, that program "address book" is trying to use HTTP to contact "owned-systems.ru".

But is it not too late then? That means that you have already been compromised. The idea on Linux is to prevent that situation, not sit and wait until it happens and then it can proudly inform you that you have been owned.

...

AppArmour is also a tool that will let you know immediately if files are acessed without permission. It prevents the access and then notifies you. So it is pro-active.

---

How does it detect access? Signatures? Are they checked before every execution?

You set up your AppArmour to allow a user access to certain files.

built-in to WinXP but is rarely used that way. I don't know of any Linux distro that ships with such capabilities built-in and enforced by the OS.

AFAIK, SE Linux enforce it.

...

Well, the idea is that the normal user should not need to worry about security. Linux has been designed in such a way that it looks after itself. You don't need to monitor the security systems.

---- That's what you want to believe -- Linux doesnt' provide a real-time alarm system like zone-alarm that pops up graphically to tell the user about each network access. All it provides are log files that let you examine things after the fact. How is that more secure?

Again, you are looking at this from the wrong side. Tools like ZoneAlarm will inform you that you have already been infected, while Linux security systems prevents you from being infected in the first place. I would rather spend more time and energy on preventing being owned that being informed that I have been owned.

Perhaps you can instruct the original post on how that works. Personally, I haven't seen that on Linux, but if you have a solution, great! Let's hear it. :-).

I have provided the link, all the documentation and software is there. My point is still that people coming from a Windows background treats Linux security from the wrong end. The functionality of ZoneAlarm that the original OP wanted is useless on Linux, as it only informs you that you HAVE ALREADY been compromised. If you get to that stage, you can just as well format your disk and re-install as you are screwed. I suggest that the OP should rather look at the tools that PREVENT a system from being owned. Those tools are a firewall, IDS, AppArmour, etc. If you want to know if you have already been owned then you can use tripwire and checkrootkit. A system like ZoneAlarm will not have any effect if you have been compromised, as the atacker initiate the connection from outside and compromise an application that normally do have net access (how else will they get to the app if it is not listening on a socket). These are applications like sendmail, telnet, apache, ssh, etc. So, let's look at a situation: You have your Linux system with the newly ported ZoneAlarm running, and it tells you that sendmail wants to access the net. So you say OK, as you want your mail to be sent. Now the atacker compromise sendmail and they are happily using sendmail to do all kinds of nasty stuff. How will ZoneAlarm protect you? Sendmail is supposed to access the net. See my point? You should catch the guy before he gets to sendmail and that is what a firewall and IDS is for. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~

On 22/03/06, Anders Johansson <andjoh@rydsbo.net> wrote:

On Wednesday 22 March 2006 18:14, Andre Truter wrote:

...

Nope, that is wrong.

Please don't let's feed the trolls anymore, Ms. Walsh is clearly not interested in a discussion here. If she were she'd respond when she's called on her mistakes, instead she just continues on her wishful thinking crusade about what windows can do in an ideal world.

So let's kill the thread, ok?

--

I think some of us were enjoying the amusement of the dream of an ideal 'Windows' world :-) Sadly that dream always turns into a nightmare. -- ============================================== I am only human, please forgive me if I make a mistake it is not deliberate. ============================================== Xmas may be over but, PLEASE DON'T drink and drive you'll make it to the next one that way. Kevan Farmer Linux user #373362 Cheslyn Hay Staffordshire WS6 7HR

----- Original Message ---- From: Daniel Bauer Sent: Wednesday, March 22, 2006 1:42:02 PM

Am Mittwoch, 22. März 2006 18:32 schrieb Anders Johansson:

...

On Wednesday 22 March 2006 18:14, Andre Truter wrote:

...

Nope, that is wrong.

Please don't let's feed the trolls anymore, Ms. Walsh is clearly not interested in a discussion here. If she were she'd respond when she's called on her mistakes, instead she just continues on her wishful thinking crusade about what windows can do in an ideal world.

So let's kill the thread, ok?

I read this thread with great amusement (as I am so very happy that after years of computer-related frustration I finally found my way to Linux), but I also learn a lot here. It's very interesting, at least for people like me, actually coming from the M$-space, really having that kind of security view, really trying to understand something.

[snip]

Especially because I am not so sure that I always really know what I install here, cannot check a source-code, don't even know, how I can distinguish "good" from "bad" software...

?So please go on and feed us with more controversial info. Thanks!

Just to stop feeding that thread :) - try using FireStarter (http://www.fs-security.com) Dmitry

Daniel

Anders Johansson wrote:

On Wednesday 22 March 2006 18:14, Andre Truter wrote:

...

Nope, that is wrong.

Please don't let's feed the trolls anymore, Ms. Walsh is clearly not interested in a discussion here.

What discussion was addressed to me that I did not respond to? Clearly no one here understands the nature of 99% of Windows virii and how they could easily run on Linux if Linux had a full port of Explorer, ActiveX and the desktop libraries. It is rare that malware attacks come in through open Windows "ports" -- it is through application level attacks that most Windows malware is spread -- Outlook was one of the first favorites, now it's constantly Explorer or the Windows _equivalent_ of Apache : "IIS: the MS web server". Equating Explorer or Apache with with Windows is like calling KDE or Apache, "Linux". Linux is a kernel and Windows NT is a kernel.

If she were she'd respond when she's called on her mistakes,

If I make one, I may or may not respond -- is there some rule that I'm suppose to roll over and expose my belly? You may be clueless, I'm not playing by "doggie" dominance and hierarchy rules. It's weird to be put in a position of defending MS, since I tend to strongly dislike them, but so many people really don't know what they are talking about. Where do you think Window's (as separate application on top of WinNT) got it's "ActiveX" technology from? Before that it was called DCOM, and before that "COM" and before that...I think "CORBA"?, but Window's "COM" technology came from Unix (Sun). Look at technology common to Windows & *nix, say Java: how much less secure is Java on Windows than Gnunix? What started this conversation no one has addressed: the primitive [absent] interactive GUI "Firewall" technology available on Windows. Don't think I don't know what I am talking about. I've had over 15 years in unix & Linux experience. I've run Windows as a desktop for more than a couple of years as it has a superior GUI. But you don't try to tell me that the lack of an interactive GUI firewall that checks all inbound/outbound traffic isn't needed or useful. If I install FF, on Linux, on startup, *by default*, it will go out and download the Firefox home page after you first install it. Unless you are on a separate subnet and block the use of outgoing port 80, it will succeed. When I install the same program on my Windows box, Firefox is blocked and I receive a popup on my desktop telling me that application "Firefox" is trying to contact host "xxyz" on port 80. Do I wish to allow this? That ability isn't readily available on Linux. That's not to say it _couldn't_ be done, it's just saying that it doesn't currently have the interactive GUI to control an all encompassing Firewall of the type that has been available on Windows for over 6 years (or more). I'm not saying I can't configure a firewall that will block FF by default on Linux when it starts and will *ask* me what to do when it detects the effort: "should it be: 1) allowed always, 2) denied always, 3) allowed this one time, or 4) denied this one time?" The behavior I see on Linux is "silent failure" -- a log file entry is generated, and it doesn't tell me what application made the request.

instead she just continues on her wishful thinking crusade about what windows can do in an ideal world.

--- I'm only talking about what my Windows box is configured to do in the *real* world vs. my Linux box[en]. It certainly isn't a "crusade". If I have my druthers to setup an email/browsing client for someone who is OS-agnostic, I've chosen Gnunix as it's less likely to have problems. That certain doesn't mean mean it's *perfect*. Why are so many people caught in black & white thinking? So many people are caught up in defending Gnunix that they can't see the flaws. Instead of answering the original poster with a means to do what they wanted to do, the *Linux* way is to convince them how stupid it is to want what they want. Rather than hearing abuse for liking security popups from my firewall, I'm told I don't know what I want and I really did want "black" and any choice other than "black" is obviously stupid coming from a "troll". The reason MS has been successful in the marketplace is that rather than spending all this energy telling me why I shouldn't want what I want, they have traditionally just bent over backwards to enable it (too much so, allowing harm from the opposite direction). Neither direction is 100% right. They need sensible blending -- something you won't have as long as you color everything "MS", "wrong". -l

I don't know if COM and DCOM comes from CORBA,

It doesn't.

With COM and ActivX the API gives your app access to the memory space of the ActiveX component, which again use a shared system bus. If you plug into the Windows system bus, you can see all messages gong around. You can intercept messages meant for other applications,

Complete rubbish. Windows is a full fledged protected mode OS, applications are very much shielded from each other - yes, I believe Linux is superior but due to differences far more subtle then you are describing.

With the message busses used on *nix systems you cannot do that, because there are diferent busses and you can only access what the bus allow you to see.

This statement is so vague as to be meaningless. And many of the messaging technologies used by X-windows environments over the years have been horribly insecure.

...

Look at technology common to Windows & *nix, say Java: how much less secure is Java on Windows than Gnunix?

Very much. Due to the common message bus that Windows use, the java application potentially have access to any other application,

Bogus.

...

What started this conversation no one has addressed: the primitive [absent] interactive GUI "Firewall" technology available on Windows.

I think you are still not getting the point.

I think YOU are entirely missing the point. An interactive firewall IS EASIER TO USE! Otherwise apps silently fail to work - this has nothing whatsoever to do with worms, viruses, trojans, etc... It has to do with informing the poor user what is going on. Lack of such a feature on the LINUX desktop IS a deficiency no matter how you want to spin it. Like no feedback for offline print queues and the inability to edit filesystem ACLs in the GUI.

You percieve Linux as being primitive because it does not feature a useless application that can only give you a false sense of security.

I don't percieve the LINUX desktop as primitive, but it certainly has functionality gaps that still need closing. This is a legitimate user need.

The point is that you should first look at where the real threats are on a Linux system and then think from that angle.

The inability of the system to INFORM the user that it blocked an applications attempt tp communicate is NOT a "security" problem, it is a usability problem.

On Linux you should NOT focus on a tool that can tell you that you HAVE ALREADY been compromised.

Because an app is trying to open a port means you've been comprimised? Again - Bogus.

On Friday 31 March 2006 3:31 pm, Roger Haxton wrote:

Look up shatter attacks on Windows. These are very dangerous attacks that cannot be fixed without Microsoft completely re-writing how Windows uses messages between applications. From what my hacker/security engineer friend tells me, this sounds exactly like what Andre was describing. As a reference, there was a pretty good discussion of Windows security flaws and Crossover Office and if some of these vulnerabilities could affect Linux if we run IE, Outlook, et. al.

-- Jerry Feldman <gaf@blu.org> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9

On 3/31/06, Daniel Bauer <linux@daniel-bauer.com> wrote:

Am Donnerstag, 30. März 2006 23:35 schrieb Andre Truter:

...

If a java app gets compromised, it will only effect the user.

Sorry, I don't really get that point: "it will only effect the user". *I* am the user and it's exactly me whom I don't want to be affected.

The point is not that it is OK if you cet compromised, but the point was that if you get compromised on Windows, your whole system is in trouble, while on Linux, only the user is.

To make it clear: as a non-professional "just-user" of a PC it's no comfort that "only the user" can be affected, because in case of an attack I will not be happy, when I can say: "Oh, only my stuff is gone - but the system still feels fine - Yippee!"

Hehe, yes. You can still restore you backups and carry on. The thing is not that an attack is justified, but if you do get attacked, the damage is limited. Remember that Linux is a true multi-user system. Even if you are using it as a home PC and you are the only user, the system is still a multi-user system. You have a number of ssytem users running on the machine. Not real people, but according to the system, all are users.

But on the other hand: what's against it, if you get noticed when a program wants to call outside?

First question: Why do you want to be notified of this? What is the reasoning behind this user request?

...

... On Linux you should NOT focus on a tool that can tell you that you HAVE ALREADY been compromised.

[...]

...and about "HAVE ALREADY been compromised": ok, but then it's still better to find out by a warning than not to find out at all, don't you think so too? And, what exactly means "beeing compromised"? I, for example, just don't want Acrobat to call home (in fact I don't even know, if it does on Linux; it does on W if you don't stop it with z.a. or similar). I want to be able to block things like that easily whithout an university degree in firewalling.

I don't have anything against the ZoneAlarm type functionality apart from the fact that it draws your atention away from the real threats. If you want such functionality, then ask the ZoneAlarm people to port it, or ask someone to write such an application. Fact is that Linux is lacking in security or being primitive because it does not have such a tool, it just does not need such a tool. The orignal poster suggested that Linux is primitive because it does not have this and I am saying that it is not because the tools that protect you from the real threats are quite mature on Linux.

...

No, not silent failure, but silent protection. A firewall is not there to tell you what is trying to go where, it's main purpose is to prevent thngs from going through it.

I think "firewall" and the discussed zone-alarm feature of warnings for outgoing calls are two different things. If you set up a Linux-PC (well, I know only SUSE...), you might be more secure than on W, but it is still possible, that you download or run a program that does things you don't want it to.

AppArmour and your anti-rootkit software should help you here Of course it would be best, to use only secure, trusted software, but

how should an average fool (like me) decide, what is secure, whom schould I trust, whom not? In reality people just download programs if they think, they'd like to have it. Then it's just nice if you can be sure, that this program cannot connect to the internet without your explicit permission.

By using the appropriate tools mentioned above, you should never get to the point where you need this type of functionality. I still don't see much need for an application that lets you interactively block access from inside to outside, except if you don't want Acrobat to phone home. But if that is something that will make people happy, they are free to create such an application. Fact is still that the lack of such an application does NOT make Linux primitive or insecure, as that is not where the security issues are. The only usefulness such a tool will have to to allow you te prevent Acrobat (or what ever) application from acessing the net. But I don't see this as a security issue, it is just a user preference issue. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~

On 3/31/06, Daniel Bauer <linux@daniel-bauer.com> wrote:

...

Well that's easy to say: I want my privacy to be respected. I don't want a music company to know which CD's I listen to, I don't want Hollywood to know, what moovie I'm looking at, I don't want to give my e-mail contacts to a spam company, I don't want any program telling it's developer or company automatically, that I am using it... and so on.

I don't know AppArmour very well yet, but I had a quick look in the documentation and it seems that it is what you are looking for. I have to agree that setting it up can be a bit daunting, but the standard profiles that comes with it is probably already adequate for what you need. I would suggest playing around with it. -- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za ~ A dinosaur is a salamander designed to Mil Spec ~

I need to break this up as my typing speed isn't what it used to be. Andre Truter wrote:

On 3/30/06, Linda Walsh <suse@tlinx.org> wrote:

...

Clearly no one here understands the nature of 99% of Windows virii and how they could easily run on Linux if Linux had a full port of Explorer, ActiveX and the desktop libraries.

But Linux don't have those flaws, while Windows do.

Which flaws are you referring to? I said Linux isn't affected by most Windows-based virii because Linux doesn't provide the "ease-of-use" & "automation" libraries that most malware targets in the Windows environment. I don't believe I referred to flaws. It sounds like you are equating "libraries" with "flaws". Is this what you meant? I might point out that _Linux_ doesn't provide _any_ application libraries. Third parties provide applications and libraries which are distributed by specific distributions. When you refer to Linux, are you referring to all distributions that use the Linux OS as their base? Windows isn't an OS it's a windowing, application environment. It started as a $100 dollar, separately packaged "add-on"Up until recently it ran on MS-DOS -- a single-user OS designed for *non-networked* use. Windows was ported to run on "NT", which MS introduced as their "business" solution. Windows is equivalent in Linux to "KDE" or "Gnome" and every other standard application library provided on top of a Linux kernel.

You will have to tie the ActiveX into the kernel's security level (like Windows have), so you will be actively MAKING an insecure Linux.

Are you referring to the multiple special hooks for graphics acceleration in the Linux Kernel, like the specialized XFree graphics subsystem drivers? No, cause tying putting hooks in the kernel to allow graphics acceleration would just be "stupid", right? How about the automation that already exists in KDE (and probably gnome) that allows one to click on a file and have a file-specific handler (or interpreter) run. It doesn't have to be built into the kernel to be insecure. Just run all the processes as root. How many times has linux been hacked because a daemon was compromised and running as "root"? It's common now for some of these to drop root privileges and/or run in a restraining "chroot" jail (ex. bind/named), but many haven't been converted, and there seem to be new ones being written all the time that forget the lessons of yesterday.

(Hmmm... Maybe if you get MicroSoft's marketing department to seel it, you will be able to sell it to people) But then it is definately not Gnu/Linux anymore and the Gnu/Linux community will never accept or allow such a beast.

There is no "accept" / "allow". it's whatever will sell to the masses. Each new version of SuSE (I only mention SuSE because I'm not that familiar with other distro's, having run SuSE's since SuSE 7.x) has more daemons running that I've never heard of. With the interwoven dependencies I have mentioned elsewhere in email, tons of unnecessary software and daemons are installed in the default system -- if you follow the install rules -- like you said in Windows: you can't install a system without them.

...

Where do you think Window's (as separate application on top of WinNT) got it's "ActiveX" technology from? Before that it was called DCOM, and before that "COM" and before that...I think "CORBA"?, but Window's "COM" technology came from Unix (Sun).

Correction on this - COM came from DDE and OLE, which didn't include networking initially. CORBA 2.0 was designed for compatibility with OLE & COM. CORBA had DCOM compatibility by version 2.3.

CORBA is a stand-alone bus that allow clients to talk to each other. THe clients interface with the CORBA bus via an API, but do not share memory space with the bus itself.

??? By share the same memory space, do you mean run on the same computer? Not since Win98/WinME have Windows processes run in a shared memory space.

With COM and ActivX the API gives your app access to the memory space of the ActiveX component, which again use a shared system bus.

On a hardware level, perhaps, but in software, no worse than Linux, where any root-level process can read (and write) all of memory through /proc/kcore.

With the message busses used on *nix systems you cannot do that, because there are diferent busses and you can only access what the bus allow you to see.

You are not making any sense. All root level processes on a "normal" version of Linux (not SELINUX), have access to each other and can screw with other process's memory space given enough work. In NT, processes under different user-id's and non-root processes don't have any more ability to write over other users' processes than on Linux.

Very much. Due to the common message bus that Windows use, the java application potentially have access to any other application, while on a *nix system, the java engine is run as a normal user and there is no common message bus. In fact, java normally does not have access even to the KDE or GNOME message busses.

If a java app gets compromised, it will only effect the user.

You apparently don't know about the versions of Linux that have shipped as "single user systems", where the one user is "root". You can configure Linux to have just as many security problems as Windows.

...

What started this conversation no one has addressed: the primitive [absent] interactive GUI "Firewall" technology available on Windows.

I think you are still not getting the point.

The point in in the subject of the message. Show me the Linux answer to "common" Windows functionality -- interactive firewall and security control.

You percieve Linux as being primitive

--- Incorrect. Read the subject. I perceive the SuSE Firewall product as being primitive compared to user-interactive products on Windows that provide the same level of security but have the additional ease of real-time user interaction.

because it does not feature a useless application that can only give you a false sense of security.

This is what I mean -- you can't admit Linux is lacking in an interactive bi-directional firewall & HTML filtering product.

You are still measuring linux security according to Windows security features and issues.

It's not a measure of security -- it's a measure of usability -- of whether or not you can answer the original posters question. They wanted an interactive firewall control -- not a non-interactive one that makes all decisions for him up front and silently records results to a log file.

The point is that you should first look at where the real threats are on a Linux system and then think from that angle.

On Linux you should NOT focus on a tool that can tell you that you HAVE ALREADY been compromised.

Have a tool *block* non-permitted applications by default doesn't tell me I've been compromised. You see, many tools writers write their tools to "call home" after you have installed them. This allows them to track who has installed their tool and, at the least, gage numbers. Firefox is such a tool. When you first install it, it tries to call home. Do I want it to? No. You are making the claim that because Firefox initiates web-access to a Firefox-custom site when it starts up, that I am already compromised. I disagree. It's not just Firefox, but most program's "help" features seem to attempt network communication (whether I only want to search my local machine or not). Another example -- Thunderbird. Would I expect an "email" client to attempt a download from port 80 when I first start it? That's what it does. It tries to download a special "start page" when you start it for the first time and unless you disable it's default start page. Do I want to signal to 'mozilla.org" every time I read email? On Windows, I have a chance to interactively monitor each new program's behavior and decide to permit or deny activity. On linux, I don't have that option.

OK, so help me understand the usefulness of this.. I start up a browser with the intent of acessing web pages on a web server, that is normally via port 80.

Please, don't insult my intelligence. You can't figure out any usage of Firefox beyond accessing external web sites on port 80? Firefox can be used to browse a local internet and it can be used to browse external sites not on port 80, or be configured to go through a proxy. On my system, a program trying to go out on port 80 is the first evidence that a program is trying to do something _behind my back_. I know at the very least, it is misconfigured or it is trying to do some action I didn't specifically authorize. On your Linux system, you have no clue -- from what you tell me, you have port 80 open by default, so any application can contact external websites on port 80 and download code or "register" your presence. That's insecure.

Well, I kind of expect it to access port 80 that is why I started it up. Why would I want an application to tell me this?

Because it is not something specifically permitted. You seem to believe that any application going out port 80 should be unquestioned and allowed. My security policy on my Windows machine says no traffic goes out of port 80. Any software that is following my security policy will not go out port 80. Any software that tries to go out port 80 will cause me to be immediately notified -- interactively with what application is attempting the *unauthorized* access and what website it is trying to contact.

Or do you start up Firefox and use it as a local file browser. FireFox should NOT access port 80, that would be wrong....

=== It does and you are obviously unaware of this because you haven't been monitoring your port-80 traffic.

That is because that functionality is moot on Linux. You don't need it as the security issues are different.

No they aren't. I have similar security policies for my windows as for my Linux machines. There are variations based on my usage, but I am aware of the risks.

...

The behavior I see on Linux is "silent failure" -- a log file entry is generated, and it doesn't tell me what application made the request.

No, not silent failure, but silent protection.

You are jumping around. We are talking about othewise legitimate applications that make unpredictable network accesses -- like Firefox, when you first start it to browse files. You wouldn't expect it to access the internet, but that's what it does -- so does Thunderbird. Um...we just talked about allowing FireFox to go out of port 80. If I run an MP3 player, if it tries to download music from "website:5004", you can bet that on Windows, I'd get an immediate warning that "MP3AMP" is trying to access "music.site" on port 5004. Should it be permitted? I can look at the URL and see it's on a non-standard web-traffic port (though it may be standard for MP3 broadcasts, it's not for generic web content). I can choose to allow it or not. On linux I had the same problem -- but there, my firewall silently blocks attempts to go out on port 5004 -- why? Because when I set up the firewall, I didn't "predict" every possible port that music might be playing from. Not playing is a "failure" -- it is not "silent protection". From any user's perspective, it if doesnt' work, it's broken. On linux, I had no idea why it wasn't working the first time it happened. Only days later did I see a few lines out of 1000's of log lines showing me that there had been unauthorized attempts to contact "music.site:5004" that had been _silently_ blocked. Later, I could log into my firewall console and add rules to permit this, but when it was happening, all I knew was frustration -- my MP3 player wasn't working with random sites.

A firewall is not there to tell you what is trying to go where, it's main purpose is to prevent thngs from going through it.

Wny do you think they have security cameras in banks? Are they to deflect the bullets of robbers? If something "happens", you want to know who what where and when. Giving me no information is next to useless. Sorry -- Linux doesn't provide useful information in these situations. Not knowing "who" (or "what") is trying to violate security policy in what way is poor protection -- giving me that information in real time is in NO way, useless. -l

On Thursday 30 March 2006 5:44 pm, Jos van Kan wrote:

Linda Walsh wrote:

...

Clearly no one here understands the nature of 99% of Windows virii and how they could easily run on Linux if Linux had a full port of Explorer, ActiveX and the desktop libraries.

Absolutely. And if the sky fell down we'd all be wearing a blue hat.

Regards, -- Jos van Kan registered Linux user #152704

I am hopelessly lost here. ( Not aiming this at you Jos, ;- ) but I think I missed a couple of layers of this,um, erm, discussion (?) ) Why would anyone port Explorer ( I am guessing IE is the program?) to Linux ? And ActiveX either? Both of those programs/systems are owned by the MS company. They, I can assure you , have no interest at all in porting them to Linux, at least not any variant of linux that Linus would accept. And I believe he still owns the rights to define what is and isn't able to be called " Linux" does he not? I doubt he will go for "embrace and extend" or "envelope and smother.. " The Explorer functionality we have as in many different web browsers. Top of heap currently Firefox and Konqi, there were several variants from the Gnome groups that I used to use as well.. there are even text only browsers. In the event you wanted to check something and for security reasons you didn't want to allow anything other than text. Or perhaps you are a blind person who has no need of the slower speeds of graphics and do have a "reader" program to assist your web enjoyment... And if you really feel you have lost something by not having IE to websurf w/; well, your legally owned copy of IE can be installed and run, dangers from bugs or virii and all, tho only the user is in trouble. Not for the linux system itself. If you trash your user space you are NOT going to take the system down.. As a normal user you won't be allowed to delete or change vital Kernal parts either. A Commercial company called Codeweavers will sell you a way to setup and use your own legal copies of those programs and several others.. a nice sandbox that they spend lots of time tightening precisely so your warnings from a firewall ( Zone Alarum? ) are not necessary. As someone said, if you open your web browser , do you not intend it to connect to the internet? So why do you need a popup to tell you that it is doing so? Warnings you are being scanned or that someone is attempting to get into your servers or your personal computer ... that is useful.. and there are many of these programs available. As one of the group often says "google is your friend" in these instances. ( I apologise profoundly to the originator of that remark.. I've forgot your appelation. ) As for the firewall issue. Please clarify your usage of "firewall" as a program.. there are once again many to choose from , each distro usually packages one or more ... on a Suse system the builtin one is SuseFirewall ,possibly w/ the number "2" still part of the name... A basic locked down systems will be running from time of install of the distro by default.. ( some of the older versions required one to check a box during the setup for one's internet or lan connection.) At this part of my day I don't recall any more if that step is necessary in 10.0 ... If you didn't set it up on install of the distro, or wish to tighten the open ports it's easy to do in Yast (firewall settings areas IIRC). Of course as an old time user you already know you need root's password to do any of this , whether setup or just reading the info... The Vanilla version of the firewall and kernal have kept many many systems safe w/ the local users needing to know nothing more about it than that check box to start the thing. Even, I might add, while windows boxes all over were falling prey to Mellissa, I love you, and The series of "RED" worms that just blitzed Windows world up to and including the current one . If this isn't what you meant in your attempt to start a discussion , I suspect Anders is correct and I shall defer to his judgement in this matter. <aside to Anders et al > Sometimes, there needs to be translation from feminine usage to male or visa versa since it is abundantly clear the two halves of humanity do not intend the identical meaning and shadings of words, no matter what the National tongue . <heavy sigh> -- j It goes like this , the 4th the 5th , the minor fall the major lift, befuddled king composin' ( song lyric)

On Thursday 30 March 2006 13:52, Linda Walsh wrote:

Anders Johansson wrote:

...

On Wednesday 22 March 2006 18:14, Andre Truter wrote:

...

Nope, that is wrong.

Please don't let's feed the trolls anymore, Ms. Walsh is clearly not interested in a discussion here.

--- What discussion was addressed to me that I did not respond to?

Clearly no one here understands the nature of 99% of Windows virii and how they could easily run on Linux if Linux had a full port of ^ Explorer, ActiveX and the desktop libraries.

TADA!! You just answered all your inane questions and put downs of Linux in your above statement. Just in case you missed it, the winning 'DUH' from you is......................... "if".

Þann Miðvikudaguren den 22 mars 2006 18:14 skrifaði Andre Truter:

Nope, that is wrong. There have been people that have actively tried to install Windows viruses on Linux and the best that a virus could do on Linux was to delete a few of the user's files. It could not survive for long and it could not propagate itself.

Due to the design of the system, Linux is very unfriendly environment for a virus.

This isn't an infectious anything, it's merely a program that uses several different "weaknesses" in your own system, to acquire access to run on your Operating System. Since the Operating Systems are quite different, a malicious program made for Windows, will simply have similar ability to run on Linux, as a program made for the good old MS-DOS will have. This does NOT mean, that there aren't weaknesses in Linux, nor that malicious software for it don't exist.

...

...

FireFox lets you enable or disable javascript and you can tell it to only allow javascript from certain sites.

--- FF is an agnostic technology. It functions the same on Windows as on Linux. You are making my point. Choose better applications on Windows and you'll reduce your security-liability footprint.

Yes, exactly. You said that ZoneAlarm does this, so I said that you can use FF on Linux to get the same functionality. I know FF does this on Windows too.

...

...

How does a firewall detect incoming javascript?

--- Many firewall products have this feature. A firewall product sits on the boundary between "out there" and your system. In order for HTTP protocol to be passed "in", it has to go through a firewall. The Firewall simply does "deep inspection". Hardware firewall products (Juniper, et al) have this feature. So do some software firewall products.

Is this not exactly what I said when I mentioned the IPCop plugin?

...

...

Ummm.. Intrusion Detection systems have nothing to do with viruses.

---- That's where you are mistaken. I listed virus in brackets because that's what a virus is -- it is an intrusion of an outside program that has been run in some "privileged" mode such that it has installed portions of itself behind for _possible_ purposes of spreading, or just "owning" the machine. Both intrusion and virus detection software look for signs of altered or corrupt software retrospectively. Good intrusion detection software looks for signatures of known root-kits and infection vectors.

No, Intrusion detection systems monitors incoming traffic and react to malicious attacks on your ports. It does not check files for signatures, that is what anti-virus does and anti-rootkits.

Checking the files for viruses is after the fact. An intrusion detection system prevents anything from reaching your system.

...

--- How many systems are "owned" linux vs. windows? I'd suggest the total is higher for windows. What's the difference in the intrusion detection you are talking about? You are referring to the singular case where someone is actually behind 1 specific attack on your system instead of it being one of a thousand automatic attack vectors. It makes much more sense for a "intruder-wanna-be" to use multiple viruses and launch 10's - 100's of thousands automated attacks. It's not profitable to waste time attacking 1 system unless you have some specific objective. It's far easier just looking for "easy pickings" -- people who have left their doors "unlocked".

I don't really get your point here.

I don't know of a single Linux sytem that has been infected by a virus (that the user did not install on purpose.

Linux systems gets "owned" by people exploiting vulnerabilities on a machine that have the vulnerable software listening on an open port. The other way is to physically gain access to the machine, or to convince the root user to install comprimised software. In the last two cases you are dealing with social engineering and something like AppArmour can protect you there. In the forst case, your firewall and IDS can protect you. In neither of the cases is there any use in having a system that tells you that an application tries to access the internet. If you get to that point, you are already screwed. You should use your firewall and AppArmour to make sure you don't get to that point.

...

---- Cement-Pro also protects your system. You encase your system in 6-feet of cement. Nothing gets in or out. What's your point?

My point is that if you are worried about a compromised application on your Linux system trying to "phone home", then set up your Linux Firewall to block outgoing traffic too.

...

--- Same way as on Linux -- if you download a corrupt binary, you lose. If you run a pre-built RPM or binary on Linux you can suffer the same problems as on Windows. Your linux system will be compromised faster since there are almost no linux-virus detector's for downloaded binaries (RPMs). By a feature of the RPM system -- if you install an RPM, you've already used root, so any software you've installed has complete control over your system.

That is why you have gpg signature checking built into your package managers. They act as anti-virus software. All built in.

...

...

On Linux you have tools like checkrootkit, etc that inspect every file on your system and immediately lets you know if the file was tampered with.

--- Is it "on-access"? I don't think so. When you install, it uses "HTTP" to go out onto the net to download instructions -- does a linux system detect what applications are accessing HTTP and to what target system? An application like ZoneAlarm will tell you in real-time -- as soon as outside communication is attempted, that program "address book" is trying to use HTTP to contact "owned-systems.ru".

But is it not too late then? That means that you have already been compromised. The idea on Linux is to prevent that situation, not sit and wait until it happens and then it can proudly inform you that you have been owned.

...

...

AppArmour is also a tool that will let you know immediately if files are acessed without permission. It prevents the access and then notifies you. So it is pro-active.

---- How does it detect access? Signatures? Are they checked before every execution?

You set up your AppArmour to allow a user access to certain files.

...

built-in to WinXP but is rarely used that way. I don't know of any Linux distro that ships with such capabilities built-in and enforced by the OS.

AFAIK, SE Linux enforce it.

...

...

Well, the idea is that the normal user should not need to worry about security. Linux has been designed in such a way that it looks after itself. You don't need to monitor the security systems.

---- That's what you want to believe -- Linux doesnt' provide a real-time alarm system like zone-alarm that pops up graphically to tell the user about each network access. All it provides are log files that let you examine things after the fact. How is that more secure?

Again, you are looking at this from the wrong side. Tools like ZoneAlarm will inform you that you have already been infected, while Linux security systems prevents you from being infected in the first place.

I would rather spend more time and energy on preventing being owned that being informed that I have been owned.

...

Perhaps you can instruct the original post on how that works. Personally, I haven't seen that on Linux, but if you have a solution, great! Let's hear it. :-).

I have provided the link, all the documentation and software is there.

My point is still that people coming from a Windows background treats Linux security from the wrong end. The functionality of ZoneAlarm that the original OP wanted is useless on Linux, as it only informs you that you HAVE ALREADY been compromised. If you get to that stage, you can just as well format your disk and re-install as you are screwed.

I suggest that the OP should rather look at the tools that PREVENT a system from being owned.

Those tools are a firewall, IDS, AppArmour, etc.

If you want to know if you have already been owned then you can use tripwire and checkrootkit.

A system like ZoneAlarm will not have any effect if you have been compromised, as the atacker initiate the connection from outside and compromise an application that normally do have net access (how else will they get to the app if it is not listening on a socket). These are applications like sendmail, telnet, apache, ssh, etc.

So, let's look at a situation: You have your Linux system with the newly ported ZoneAlarm running, and it tells you that sendmail wants to access the net. So you say OK, as you want your mail to be sent.

Now the atacker compromise sendmail and they are happily using sendmail to do all kinds of nasty stuff. How will ZoneAlarm protect you?

Sendmail is supposed to access the net.

See my point? You should catch the guy before he gets to sendmail and that is what a firewall and IDS is for.

-- Andre Truter | Software Engineer | Registered Linux user #185282 ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.co.za

~ A dinosaur is a salamander designed to Mil Spec ~

Þann Föstudaguren den 24 mars 2006 08:41 skrifaði Andre Truter:

Also correct, but it DOES mean that the weaknesses and types of malicious software is very different and should be treated in a different manner. Agreed ... my own sentiment is, that the word "Virus" should not be used at all on Linux systems. I find the word "lame".

A virus as we define it (a malicious program that imbed itself in a system and then replicate itself and distribute itself to other systems) does not have a good chance of survival on Linux. Backdoors have been notorious in Unix systems. I've got one notorious one in mind, that was inbedded into the C compiler itself when compiling "login.c". And creating a system that "erases" itself, is not that uncommon either. Creating a "software" package that does "propagate" some controlling structure, that will ensure the "removal" of the software after a specific date, for an example.

Fact of the matter is, that the "professional" community was using these kind of features long before Windows was born, or became popular. An example of such structure built into a system, was the Atari ST system, which would scan for a specific byte sequence on an even ram address on warm reboot, and execute that block if it found it. This was built into the ROM bios itself.

Viruses are not a big threat to a Linux system, due to it's design, you are more likely to be compromised by an actual person breaking into your system.

Has little to do with the design of the system. It has a lot more to do with how the Linux community is, as in open source and regular updates. A program pretending to be "bash" shell for example, is not going to live long, because its going to be removed and reinstalled pretty regularly. And trying to put something inside a ".profile" script or similar, is likely to be discovered as most Linux users are enthusiasts that are fiddling with these things all the time. As in this community a source code is likely to be scrutinized by many, especially on volatile systems.

It is no use we help newbies to go ghost hunting for a 1% threat while they are totally oblivious to the real threats. We should help people to rather focus on the real threats.

Unix has never strived to be "Idiot proof", like Windows and Mac do. Nor do I think the "Idiot proof" stragedy should be deployed at all. My personal sentiment here is, that the user her/himself is responsible for the security of their data. And in environments where security is of special interest, some security enhancements such as selinux with rolebased access is proper.

Þann Föstudaguren den 24 mars 2006 22:31 skrifaði Anders Johansson:

I believe you were referring to this:

http://www.acm.org/classics/sep95/

and one of Thompson's points was that you can't even trust the source

And a point well made ...

-- Certified: Yes. Certifiable: of course! jabber ID: anders@rydsbo.net

On Tue, 2006-03-21 at 16:45 -0800, Linda Walsh wrote:

I want something that pops up a notice anytime any non-permitted program attempts any action that is out of the ordinary. If my "C" compiler attempts to open "/etc/passwd" with write access, or "/etc/shadow" with _any_ permission, I'd like to see that pop up in real time -- not wait for a log review sometime later when the log in question may have been tampered with or deleted.

Then write ZoneAlarm and have them port their software over for you. And if "your" "C" compiler attempts to write to /etc/passwd you are not being a careful by not checking the source you are trying to compile. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998

On Tuesday 21 March 2006 21:55, Linda Walsh wrote:

It isn't about the relative strengths of security but about real-time interactivity.  Linux is poor in real-time, interactive controls and monitoring. <large snip>

Linda - general point: Linux must be doing something right - it has former Windows users like yourself trying it out. But if you want to learn to drive a car as opposed to riding a bicycle, you put the time in. Sorry, but you have to do that here with Linux. You seem to be looking for a Microsoft Windows (behaviour-wise) that is not Microsoft Windows (drawbacks-wise) - doesn't exist, I'm afraid. You either use Microsoft Windows and put up with its general crappiness, or use Linux and invest some time in changing over. Part of this involves asking a specific question about a specific problem you have. Your long spiel does not do that (although Anders and others have tried to pick out question-like things under the general rant). Frankly, new users coming here and saying "this Linux thing better work the way I'm used to, or I'm not going to use it" cuts no ice here - most of us have heard this sort of thing many times before, and Linux' market share is still rising. So my general advice would be to step back, do a bit of research (most of the things you are looking for are available in some firewall package (of which there are dozens on Linux) - try Guarddog, Firestarter, etc), and cut down on the whingeing. -- Pob hwyl / Best wishes Kevin Donnelly www.kyfieithu.co.uk - KDE yn Gymraeg www.rhedadur.org.uk - Rhedeg berfau Cymraeg www.cymrux.org.uk - Linux Cymraeg ar un CD

On Sun, 12 Mar 2006 21:36:11 +0100, you wrote:

On Friday 10 March 2006 18:05, Daniel Bauer wrote:

...

As much as I understand it (and I don't understand very much :-) ) the SUSE-firewall doesn't care abaout which application is using a specific port, so in my opinion it could easily be possible for a maleficent program to get an internet connection.

maleficient? Please tell me you got that from babelfish :)

Yes it's easy for a program to get internet access in linux, SuSEfirewall2 won't block outgoing connections by default. If you worry about these things, you might want to look at AppArmor, which is included by default in 10.0 and can block much more than just network access

zonealarm isn't exactly the solution. It's not too difficult to defeat, so the only thing you get from it is a false sense of security. If you're worried about outgoing connections, the only real solution is to only run software you trust.

On systems that I'm forced to run windows on, I use both Norton systemworks (includes antivirus) and ZoneAlarm on. ZoneAlarm is configured ENTIRELY to prevent outgoing access from software that's not supposed to be requesting internet access - the whole network is behind a normal firewall, which is (besides being a normal firewall) also running snort_inline - which is configured to monitor inbound AND outbound traffic. Any bets which direction causes me more trouble? Seriously, Zonealarm is really pretty good if you use it the way I do - to catch ET phoning home. I recommend that everyone who thinks Microsoft "really isn't that bad" to watch it for an average week. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,

On 3/10/06, kai <kai@perfectreign.com> wrote:

There's also a program, called AppArmor, which does....

...um....

...well....

....actually I have no clue what it does and can't find anything on it, but I'm sure it does something good.

from what I understand AppArmor "hardens applications" -- so I think that means it's a tool for doing a fancy "chroot jail" of an application. p