[opensuse] Re: Who said Linux doesnot get Virus infections
John E. Perry wrote:
Joachim Schrod wrote:
... Let me propose another hilarious 5-step process:
1. Read the LWN.net security page.
OK, so I did.
2. Detect how many exploits are based on data files, and not on executables. just last week: ...
Not a single exploit listed. Many vulnerabilities, almost all qualified as "user-assisted" or "local.
I wrote that they are local. That's what step 4 was for. User assisted is not relevant here, when these are exploits that are triggered by looking at images, or videos, or ads on web pages (the flash plugin exploit), or PDF files that are fetched from the Internet. Please note that exploits exists for most of these vulnerabilities, as described in the CVEs. Also, please note that exploits for similar vulnerabilities in the Windows world are actively used. Black hats don't attack Linux desktops on a large scale because they try to create large botnets with leveraged (distributed) C&C control, and there are not enough Linux desktops out there to make them a worthwile target. If Linux systems are really attacked, it is currently for specific targeting. But that's a matter of interest on the black hat's side, not a matter of missing vulnerabilities with existing exploits in deployed systems. When we do security and penetration tests at our customers, we can take over Linux boxes with 90% confidentiality. In 50% of the cases, something as simple as running metasploit is sufficient. But, as you can read from the other answers to my post, these results are obvioulsy dreamed by me and my customers pay for nothing, because "every linux/unix/*ix box on the planet is not owned by hackers and spammers while so many possible exploits exist", as Ken Jennings put it so succinctly. No, no, no. "Every ... is not owned" -- guys, now I've got it: There are *NO* owned Linux boxes out there, none at all. You read it here, so it's true. I should close down the part of my company that's testing and securing linux/unix systems for my customers; it's not necessary. Well, by public acclamation, I seem to be wrong, and rest my case. Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Donnerstag, 23. August 2007 10:41 schrieb Joachim Schrod:
But, as you can read from the other answers to my post, these results are obvioulsy dreamed by me and my customers pay for nothing, because "every linux/unix/*ix box on the planet is not owned by hackers and spammers while so many possible exploits exist", as Ken Jennings put it so succinctly. No, no, no. "Every ... is not owned" -- guys, now I've got it: There are *NO* owned Linux boxes out there, none at all. You read it here, so it's true. I should close down the part of my company that's testing and securing linux/unix systems for my customers; it's not necessary.
Well, by public acclamation, I seem to be wrong, and rest my case.
It's true what he says, we've to face the fact, we're not invincible (yup, even if some of us like to to propagate). The fact that Linux/Unix structure is different to windows, doesn't make it unattackable, some things might be more difficult, right. But a desktop system is always vulnerable, user wants to have this comfort and pay the bill - same as in windows. Something different might be on the side of the Server systems, where almost no user actions are taking part, it's rather difficult to exploit them(if maintained correctly). Greetings Michael (yeah, I know I' making myself unpopular :P but face it, we wanted everyone to believe it, that Linux is unvulnerable("No Viruses", "Very secure", etc.) we gotta be honest with ourself and remember, we're not unvulnerable - this becomes especially important when we introduce new members! Letting them believe they can do everything with Linux and being safe of every form of attack is wrong! We gotta educate and strong their sense for a 'good' Internet behaviour.)
Michael Skiba wrote:
Am Donnerstag, 23. August 2007 10:41 schrieb Joachim Schrod:
But, as you can read from the other answers to my post, these results are obvioulsy dreamed by me and my customers pay for nothing, because "every linux/unix/*ix box on the planet is not owned by hackers and spammers while so many possible exploits exist", as Ken Jennings put it so succinctly. No, no, no. "Every ... is not owned" -- guys, now I've got it: There are *NO* owned Linux boxes out there, none at all. You read it here, so it's true. I should close down the part of my company that's testing and securing linux/unix systems for my customers; it's not necessary.
Well, by public acclamation, I seem to be wrong, and rest my case.
It's true what he says, we've to face the fact, we're not invincible (yup, even if some of us like to to propagate). The fact that Linux/Unix structure is different to windows, doesn't make it unattackable, some things might be more difficult, right. But a desktop system is always vulnerable, user wants to have this comfort and pay the bill - same as in windows.
Something different might be on the side of the Server systems, where almost no user actions are taking part, it's rather difficult to exploit them(if maintained correctly).
Don't forget, there's two types of desktop. The home or small business user, where anything goes and the corporate desktop, where security is given significant consideration. Even "out of the box", Linux is vastly more secure than Windows. Now, get into the corporate world, where proper security measures are taken, there are other steps which further improve security. In addition to the previously mentioned items, one thing Linux supports is mounting separate partitions (may even be located on a server) on the file system, with appropriate mount options. This means that any directory containing executables can be mounted read only. Also, any partition containing user write-able directories can be mounted noexec, which means that even if an executable is installed, it will not run, no matter what the permissions say. There are many other methods in Unix & Linux, that combine to make them far more secure than Windows ever will be. For example, have you ever used a Windows app that requires admin privileges? If so, that means you've just opened up a security hole. In Linux, in the unlikely event that a user needs root permission, it's very easy to run only that one app and not affect anything else. Bottom line, there are far more barriers to security issues in Linux than in Windows. Please note, I'm not claiming it's perfect, just far more secure, even for a newbie user. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Please note, I'm not claiming it's perfect, just far more secure, even for a newbie user. That's exactly my point, sure it's far more secure(first of all it's secure by design, that's an important point), but more secure dosen't mean invincible,
Am Donnerstag, 23. August 2007 16:18 schrieb James Knott: that's my problem, you can read it on so many magazines or on websites, which claims that there are no threats for Linux, and that's just wrong. Imho we should be honest and admit, that even we(and that's only natural, every software has it's weakness, they more installed, they more possible weaknesses there are), could get confrontated with such threats. Of course we're still more secure than Windows(it's BAD* software), but we're not invincible. And we have to teach the users to haven an open eye, i.e.: Do you think someone new to Linux can possible detect a root kit or something else? In the most cases he doesn't even has an AV software or similar installed on his Linux box(and I blame that to those who proclaim Linux doesn't need such things cause it's unvulnerable). Under Windows we'd probably at least have a virus scanner(probably a bad one, probably one which is modified by a virus or another threat, but it's there) and see: 'oh sh*t something is going wrong here'(doesn't protect him from re setup his machine, but he detects it). Now imagin how long such a user would work/surf/enter sensible datas with this root kit installed? Probably a very long time (and I'm not talking about a total newbie, I'm talking about the kids which have some experiences in windows and now think when they're under Linux they can set up their own webserver, with mysql db and whatever and post it on the net, without wasting a though about security, and easy target) Greetings Michael *Broken as Design
participants (3)
-
James Knott
-
Joachim Schrod
-
Michael Skiba