[opensuse] Re: A BIG "show stopper" for openSUSE at the corporate level anyway!!
On Wed, 09 Jul 2008 22:39:48 +0200, Anders Johansson wrote:
On Wednesday 09 July 2008 20:57:29 Jim Henderson wrote:
Because just like Antivirus on Linux, the only thing that AppArmor is doing is preventing a user-initiated program from making changes to the system; changes that wouldn't happen if the user were being smart.
AppArmor primarily exists to protect servers. It has nothing whatever in common with anti-virus programs.
Sure it does - both have the job of protecting the system from harm caused by malicious code. They use different methods - and I fully agree that AppArmor does a *better* job because it defines behaviours rather than specific code signatures. If I could use AppArmor to protect my *documents* from being changed without my knowledge, that'd be great. That'd solve the problem entirely.
Servers generally don't need user input to do something, they wouldn't scale very well if they did - this is why they need extra protection.
So we just continue with assuming that all Linux users are smart enough to not do something stupid to their system?
If apache required the sysadmin to confirm each and every GET or POST, then we would never have any issue with defacements, and apparmor would not be needed, you are correct
That's exactly my point. If "we" require users to confirm every single file open/read/write operation is happening in accordance with expected behaviours of a program, then we make the user less efficient. With the power of todays machines, is even a 5% performance hit even worth worrying about in *most* applications? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 07/10/2008 05:34 AM, Jim Henderson wrote:
So we just continue with assuming that all Linux users are smart enough to not do something stupid to their system?
Of course they are, but stupid is incredibly limited as a Linux user as compared to Windows, by design. IOW, a stupid Linux user stands a much better chance of NOT messing their system up because of their stupidity simply because they cannot write to privileged file system areas, whereas a smart Windows user can get their machine infected and potentially damaged just by surfing the internet or in some cases just by going online. -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 10 July 2008 06:39:47 am Joe Morris wrote:
On 07/10/2008 05:34 AM, Jim Henderson wrote:
So we just continue with assuming that all Linux users are smart enough to not do something stupid to their system?
Of course they are, but stupid is incredibly limited as a Linux user as compared to Windows, by design. IOW, a stupid Linux user stands a much better chance of NOT messing their system up because of their stupidity simply because they cannot write to privileged file system areas, whereas a smart Windows user can get their machine infected and potentially damaged just by surfing the internet or in some cases just by going online.
Hi Joe, Everybody is talking about damage to the system which is important when machine is used by number of users. When one goofs his home no one else suffers, unless he has access to some common documents and that is in case of multiuser machine likely happen. Even in case of one person computer data loss, or unauthorized access is bigger problem than 40-50 minutes reinstallation time. System is almost impossible to break, but the reason for computer system existence, to work on some data, is still fragile. There is many solutions to remedy this, but none is comfortable and will not be used by majority that have no idea what can happen until it is too late. How many times we had here questions: "I'm only user on this computer, why password? How to disable it?" and requests to make that default for everybody. That is how majority thinks and that is where antivirus solution makes sense. With all holes in windows I needed antivirus 2 times. Firewall was on all the time. I retired my old XP without single reinstallation, and in the same time I reinstalled many times all kind of windows for friends. The difference, I kept firewall and antivirus up to date, didn't looked for trouble in all corners of Internet, learned where to find information about treats. They often let subscription to run out, skipped virus definitions update (it takes too much time), went in any place that was linked somewhere. The difference is usage pattern and experience, and that Jim tried to tell few times. Average Linux user today is advanced computer user that knows a lot about computers and Internet, that is the reason they use Linux, while average computer user knows very little. The operating system in use will not change their knowledge. They don't want to know more than they think it is necessary to communicate, or browse the web. It is similar to automatic vs. manual transmission in cars. Manual is not much more to learn, it is cheaper and in average use lesser gasoline, but most of the people use automatic. -- Regards, Rajko http://en.opensuse.org/Portal needs helpful hands. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Of course they are, but stupid is incredibly limited as a Linux user as compared to Windows, by design.
yesterday evening, this was demonstrated (for me). One of my daugther was on internet and received a thrilling message: "your computer is under attack!", there was a list of files given with a menu "delete" or "cancel". she chosed "delete" then she had "write the setup". "Yes" or "no", she said "yes"... then she phoned me (she is 180 miles away from me). I could say: don't worry and go ahead. AFAIK nothing was changed on his computer (openSUSE 10.2). I don't know what is this. probably an advertisement for some anti-virus software (I think it too visible to be a real attack, even for windows!), but how can be one so dumb to say yes in such circomstances? probably out of surprise, a nicely fitted message... the "best" windows virus I know could also be used in Linux: do you remember these messages asking to remove from the system the file with the nice small bear icon? that was a necessary file for windows to work and the user was only tricked to remove it hiself. if you make a nice message "given the dns exploit discovered recently, you have IMMEDIATELY to go root and remove the /etc/inittab file", how many users will follow the message (and I choosed for the example a not too serious instruction)... jdd -- Jean-Daniel Dodin Président du CULTe www.culte.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2008-07-11 at 08:12 +0200, jdd sur free wrote: ...
if you make a nice message "given the dns exploit discovered recently, you have IMMEDIATELY to go root and remove the /etc/inittab file", how many users will follow the message (and I choosed for the example a not too serious instruction)...
Serves them right! Next time they wont be so credulous :-P - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFId0UDtTMYHG2NR9URAiLrAJ0aYasMppQ/3eqoExnP/vHT+1N7ZwCeMUL6 bEPfWRAs1LeJpqIeR3V01v8= =N3vn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 11 July 2008 06:33:20 am Carlos E. R. wrote:
Serves them right! Next time they wont be so credulous :-P
Carlos, why you believe that people would not repeat mistake. Wrap it in another paper and you have new present. Opening it, is danger, but how do you know in advance. Let me repeat: Most of the current Linux users are not average computer users. Alone, fact that someone came on idea that Windows is not the only thing can drive computer shows more than average understanding of computers. I guess it is time to open page on wiki with topics like Internet Browsing (or how to browse using Linux safe practices), Using Email (or average Linux email setup) etc. We don't need it, but many does. -- Regards, Rajko http://en.opensuse.org/Portal needs helpful hands. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2008-07-11 at 20:11 -0500, Rajko M. wrote:
On Friday 11 July 2008 06:33:20 am Carlos E. R. wrote:
Serves them right! Next time they wont be so credulous :-P
Carlos,
why you believe that people would not repeat mistake. Wrap it in another paper and you have new present. Opening it, is danger, but how do you know in advance.
:-) Some of them will learn. It is not possible to protect against user stupidity, and the bad guys are very clever at exploiting it. Currently, I receive a lot of scams disguised as work-at-home-and-make-a-fortune, and I'm sure many souls fell prey to them, as unemployment is high here. The other popular scam is get-yourself-a-nice-wife from Russia, with a non-provocative photo of a 20-30-something girl. The v. medicine seems to be declining, same as the bank manager with a big sum to share with you from somewhere in Africa. Unfortunately, it is next to impossible to make the computer protect those users. It is best they get hit with some mild innocuous thing that acts as a vaccine for the next time.
Let me repeat: Most of the current Linux users are not average computer users.
True. And I hope it stays that way for many years :-P Or at least, I hope they are clever enough to hire me to setup their systems instead of some nephew ;-) )
Alone, fact that someone came on idea that Windows is not the only thing can drive computer shows more than average understanding of computers.
I guess it is time to open page on wiki with topics like Internet Browsing (or how to browse using Linux safe practices), Using Email (or average Linux email setup) etc. We don't need it, but many does.
Probably good idea :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIePsMtTMYHG2NR9URAoHLAJ94ATw8o8f4RrOqcXQ1WPF8X2DLxACfcENb LNzoqngcB9TpWu+ta5jbJ+8= =IyPH -----END PGP SIGNATURE-----
participants (5)
-
Carlos E. R.
-
jdd sur free
-
Jim Henderson
-
Joe Morris
-
Rajko M.