This thread is a split off of "Windows as secure as Linux", which has grown large enough to be a potential resource abuser.  

http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1161963588

I don't think it's a resource problem, much as a potential for losing part of it, as we did with the other thread, which grew long.

Wonder if there's a way, beyond database bask-ups, to back-up an individual thread.

I'll ask over at the YaBB forums.

http://www.yabbforum.com/community/YaBB.pl?num=1202612740/0

Again, excellent thread. (Go Linux!)

Quote:

Perhaps it is just a reflection of my own wry sense of humor, but I found the historical connection of “Linux” to “hacker” surprising.  Surely, Torvalds must have been aware of the evolving commonplace and negative understanding of the term at the time, even though it may not have corresponded to his own interpretation.  If I were creating a new software product—even today—and hoped for it to be widely adopted among consumers and businesses, I certainly wouldn’t “advertise” it as a tool “by a hacker for hackers.”  Very bad marketing, at a minimum.

People deep in the technical community such as Linus resent the morphing of the term hacker, and still use it in its old form - partially to spite the non-technical community that doesn't understand the *true* meaning of the world and partially because they like it they way it is.

Also, Linus has never been concerned with selling Linux to anyone.  He makes frequent reference to the fact that Linux doesn't have a marketing department, and implies that Linux development proceeds faster because it doesn't advertise or make attempts to put on a show.  Linus has a very purely functional view of how code should be written and how it should work - hence 'written by a hacker for hackers'.  He never worried about how an average user such as yourself might perceive Linux; His only concern has always been making it work well.  

Fortunately, Linus still focuses his work on the kernel, where functionality is really all that is important.  Many other coders who understand the value of usability and presentation have joined various open source projects to develop the user facing part of the OS, which is how Linux has become prepared for growth in its user base outside of the technical community.

To this day, Linux has no marketing arm and relies on grass-roots marketing from its users.  As we've discussed in other threads, Linux continues to spread at a phenominal rate percentage-wise, although its market share won't likely become significant for several more years.  Of course, Linux is used in many places besides the desktop.  From servers to cell phones, and movie theaters to the space shuttle, the success of Linux is actually quite impressive for a program started by one guy with no financial backing and given away to the world for free, so it would seem that some markets do value functionality over glossy marketing.

He is something of a demi-god, no?

http://en.wikipedia.org/wiki/Linus_Torvalds

Lots of people listen when he speaks, that's for sure.

Off-Topic replies have been moved to this Topic.

Quote:

…an average user such as yourself

Ouch!   :(


Quote:

He is something of a demi-god, no?

Consider this comment by Torvalds:  “My name is Linus, and I am your God.”  Humility doesn’t appear to be a priority.

The Can Sec West Security Conference last weekend demonstrated a point that I think got lost in this thread.

http://www.linux.com/feature/131059

A laptop running MacOS, Vista, and Ubuntu were set up for contestents to attempt to hack.  After 3 days, the Ubuntu laptop was the only one left.  On the surface, this indicates that it was more difficult for contestents to find a security flaw in Linux than the other two OS's, however, it is difficult to say how many contestents attempted to exploit each OS.

I think the more interesting point the conference demonstrated, which we made earlier but neglected to emphasize, is that applications and user's habits are exploited far more often these days than an OS itself.  On the first day of the contest, the exploit had to be directly against the OS.  No contestants even attempted to exploit any of the laptops.  On the second day, contest directors could be directed to click on links in web pages or open files by the contestants, and that's when the laptops started to fall.

No matter which OS is more secure, all OS's are far more secure than applications and ignorant users.

Thoughtful commentary on the advantages/disadvantages of several operating systems is in this article:  OS Smackdown: Linux vs. Mac OS X vs. Windows Vista vs. Windows XP

Interesting article that details how Vista's UAC 'Security System' can be complettly circumvented:

http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/

I'm glad these guys were able to get their application to run, but it also shows that the bad guys can get THEIR applications to run, too.

It's neither interesting, nor a circumvention. In fact, it gets a rating of "Well, duh". Anyone with more than a room-temperature IQ knows all that since it's plainly spelled out in MSDN. You still need to elevate once you to get your service installed.

Edit: Blah typo, "to" not "you"

Quote:

With the current Windows Vista security models, Microsoft can claim that Vista blocks system-modification tools from running at startup; but the truth is, there are still many ways to get them to run.

While it may not be a solution for NeoSmart Technologies' iReboot utility, it is easy to set a program to run at startup using Windows Vista’s Task Scheduler – and, optionally to specify that the job is to execute with “highest privileges.”  I don’t see that as a "security weakness” of Windows Vista, however.

wrote on Apr 28^th, 2008 at 2:16am:

You still need to elevate once you to get your service installed.

Very good point.  Malware authors would still need one elevation to get their code to run.  They guys in the article made it seem like a  bigger deal.

It appears that the activities of iReboot were not as 'smart' as one might have believed…


Quote:

The authors of iReboot, a program that sets which OS you want to reboot into, thought they were really clever when they rewrote their program so that Vista users didn't have to go through a UAC (User Access Control) check every time they ran it. Instead what they did was to make the users' systems vulnerable to attack betray their inexperience with Windows programming. The authors had a classic bad Windows program to begin with, in that it required Administrator access, but their inaccurate assumption was that everyone on XP runs as Administrator anyway. On Vista the default is different, and even Administrators have to click a button to continue when executing privileged actions. So they rewrote their program into two halves, one a user mode interface, and the other a Windows service running in a privileged user context such as SYSTEM. The two communicate using standard IPC (interprocess communications). They view what they did as programming around UAC, but it's not as clever as they think. In fact, the installer for their program required Administrator access and the user has to consent through Administrator access to the installation of a service like this. This means that the user has to trust the program that they install in this case, whether it's a legitimate service or malware.

Source:  New Windows Utility Claims To Bypass UAC

Pleonasm wrote on Apr 30^th, 2008 at 7:41am:

This means that the user has to trust the program that they install in this case, whether it's a legitimate service or malware.

UAC Elevation implies absolute full trust of the thing you're running, regardless of whether you do it up-front at install time or later at action time. All they did is lift the check, no more, no less. This part of things is a non-issue. The same caveat in effect applies to every OS which uses this particular UI model, which is pretty much all of them that exist nowadays.


Pleonasm wrote on Apr 30^th, 2008 at 7:41am:

Instead what they did was to make the users' systems vulnerable to attack

Nonsense. Whether they actually made the user's systems vulnerable depends entirely on whether there's an exploitable bug in their service component which could be used to do other actions, but there's no evidence of that from the descriptions and their application is so mindnumbingly trivial that it's hard to see why there would be one. Certainly the IPC mechanism is a potential attack vector, and whether it's exploitable is something that likely will be reviewed by some competent third party, but it's inappropriate to claim that it's an innately bad technique since this is the way that most non-trivial things have to written for most OSes.

It's unfortunate that the need, these days, to be seen to overdesign for "security above all else" for marketing reasons tends to create more problems than it solves; software inevitably becomes more complex than it otherwise would need to be, and complexity is the enemy of security - it introduces additional attack surface you need to to defend, and any complexity at all raises the chance of a mistake (and that's all most security flaws are, simple bugs that can be creatively magnified).

But then, such unintended consequences abound all over the place.

Oh, my – this isn’t good news:  a highly significant flaw with a wide-ranging impact for users of Linux…


Quote:

A major problem has been revealed in Debian Linux and derivative packages, such as Ubuntu. Debian revealed the other day that a fix they made back in September 2006 had the unintended consequence of crippling the strength of their OpenSSL distribution. OpenSSL is used, of course, for Secure Sockets Layer which provides authentication and encryption for web traffic, but it's also used for other cryptography functions. OpenSSL is a very important package that brought public key cryptography to the masses; prior to OpenSSL, https web sites were expensive and complicated to build. The strength of public key encryption relies, in large part, on the large number of potential keys that could be used to encrypt data. Keys are often 1024 or 2048 or 4096 bits long; these store very large numbers so a brute force attack, trying all of the possibilities, could take a prohibitive amount of time. But the bug introduced by Debian effectively reduces the strength of the key to 32768 permutations, which is 16 bits. Famed security researcher HD Moore has actually already pre-calculated all of the potential keys for the most common cases. It took mere hours. So now you can be hacked even without someone brute-forcing your encryption. Because of it's centrality, Linux sites are often deeply-reliant on certificates generated by OpenSSL to encrypt network traffic. Fixing the problem is not just a matter of updating the software; you also have to go back and generate new certificates and have them signed. This is complicated stuff, not for the novice Linux user. Expect tools to come along soon to help.

Source:  Major Cryptography Bug For Many Linux Users

MrMagoo wrote on Apr 1^st, 2008 at 4:28am:

A laptop running MacOS, Vista, and Ubuntu were set up for contestents to attempt to hack.After 3 days, the Ubuntu laptop was the only one left.On the surface, this indicates that it was more difficult for contestents to find a security flaw in Linux than the other two OS's, however, it is difficult to say how many contestents attempted to exploit each OS.

Bayes' Theorem *may* be of relevance here ... i.e. how many people (in terms of proportions of total) actually use(d) Windows vs Mac OS vs Ubuntu Linux; in very simple terms- a greater no of Windows users (compared to Mac OSX and Linux) would mean greater familiarity with Windows flaws & loopholes and therefore above result.

This link and this example  give a brief idea of  Bayes' rule.

This likely is not the full explanation, but (IMO) is worth mulling over.

The articles seemed to indicate that contestants knew ahead of time what software would be running on each laptop, and some of the interviews with the winners suggested that they selected the laptop they thought they could most easily exploit to focus on in the research leading up to the contest.

I'm sure that Bayes' Theorem applies, but one would think that the open source Linux laptop should present a juicy target if you thought there was something easily exploitable in there.  Obviously this is a fairly small sample of targets and attackers and a very artificial environment with time constraints.  I think the only conclusion we can draw from this is that the Ubuntu laptop was not trivially exploitable.  Other than that, it's just an interesting result.

Pleonasm wrote on May 18^th, 2008 at 11:09am:

Oh, my – this isn’t good news:a highly significant flaw with a wide-ranging impact for users of Linux…

A sad day event, for sure, and a big mistake by the responsible coders.  But, it is worth noting that this flaw was introduced when the SSH package was modified by a Debian developer and was not present in the base version.  So, this flaw is only present in SSH versions downstream of Debian.  This does include the widely popular Ubuntu, but Red Hat, SUSE, and all the *BSD versions do not contain this flaw.  Also, it was quickly fixed by all affected distros.