Radified Community Forums | |
http://radified.com/cgi-bin/yabb2/YaBB.pl
Rad Community Technical Discussion Boards (Computer Hardware + PC Software) >> PC Hardware + Software (except Cloning programs) >> (In?)Security of Linux http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1202611835 Message started by MrMagoo on Feb 9th, 2008 at 8:50pm |
Title: (In?)Security of Linux Post by MrMagoo on Feb 9th, 2008 at 8:50pm
This thread is a split off of "Windows as secure as Linux", which has grown large enough to be a potential resource abuser.
http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1161963588 |
Title: Re: (In?)Security of Linux Post by Rad on Feb 9th, 2008 at 8:58pm
I don't think it's a resource problem, much as a potential for losing part of it, as we did with the other thread, which grew long.
Wonder if there's a way, beyond database bask-ups, to back-up an individual thread. I'll ask over at the YaBB forums. http://www.yabbforum.com/community/YaBB.pl?num=1202612740/0 Again, excellent thread. (Go Linux!) |
Title: Re: (In?)Security of Linux Post by MrMagoo on Feb 9th, 2008 at 9:13pm Quote:
Also, Linus has never been concerned with selling Linux to anyone. He makes frequent reference to the fact that Linux doesn't have a marketing department, and implies that Linux development proceeds faster because it doesn't advertise or make attempts to put on a show. Linus has a very purely functional view of how code should be written and how it should work - hence 'written by a hacker for hackers'. He never worried about how an average user such as yourself might perceive Linux; His only concern has always been making it work well. Fortunately, Linus still focuses his work on the kernel, where functionality is really all that is important. Many other coders who understand the value of usability and presentation have joined various open source projects to develop the user facing part of the OS, which is how Linux has become prepared for growth in its user base outside of the technical community. To this day, Linux has no marketing arm and relies on grass-roots marketing from its users. As we've discussed in other threads, Linux continues to spread at a phenominal rate percentage-wise, although its market share won't likely become significant for several more years. Of course, Linux is used in many places besides the desktop. From servers to cell phones, and movie theaters to the space shuttle, the success of Linux is actually quite impressive for a program started by one guy with no financial backing and given away to the world for free, so it would seem that some markets do value functionality over glossy marketing. |
Title: Re: (In?)Security of Linux Post by Rad on Feb 9th, 2008 at 9:15pm |
Title: Re: (In?)Security of Linux Post by MrMagoo on Feb 9th, 2008 at 9:16pm
Lots of people listen when he speaks, that's for sure.
|
Title: Re: (In?)Security of Linux Post by MrMagoo on Feb 10th, 2008 at 3:04pm
Off-Topic replies have been moved to this Topic.
|
Title: Re: (In?)Security of Linux Post by Pleonasm on Feb 10th, 2008 at 4:39pm Quote:
Ouch! :( Quote:
Consider this comment by Torvalds: “My name is Linus, and I am your God.” Humility doesn’t appear to be a priority. |
Title: Re: (In?)Security of Linux Post by MrMagoo on Apr 1st, 2008 at 4:28am
The Can Sec West Security Conference last weekend demonstrated a point that I think got lost in this thread.
http://www.linux.com/feature/131059 A laptop running MacOS, Vista, and Ubuntu were set up for contestents to attempt to hack. After 3 days, the Ubuntu laptop was the only one left. On the surface, this indicates that it was more difficult for contestents to find a security flaw in Linux than the other two OS's, however, it is difficult to say how many contestents attempted to exploit each OS. I think the more interesting point the conference demonstrated, which we made earlier but neglected to emphasize, is that applications and user's habits are exploited far more often these days than an OS itself. On the first day of the contest, the exploit had to be directly against the OS. No contestants even attempted to exploit any of the laptops. On the second day, contest directors could be directed to click on links in web pages or open files by the contestants, and that's when the laptops started to fall. No matter which OS is more secure, all OS's are far more secure than applications and ignorant users. |
Title: Re: (In?)Security of Linux Post by Pleonasm on Apr 8th, 2008 at 12:08pm
Thoughtful commentary on the advantages/disadvantages of several operating systems is in this article: OS Smackdown: Linux vs. Mac OS X vs. Windows Vista vs. Windows XP
|
Title: Re: (In?)Security of Linux Post by MrMagoo on Apr 28th, 2008 at 1:42am
Interesting article that details how Vista's UAC 'Security System' can be complettly circumvented:
http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/ I'm glad these guys were able to get their application to run, but it also shows that the bad guys can get THEIR applications to run, too. |
Title: Re: (In?)Security of Linux Post by Nigel Bree on Apr 28th, 2008 at 2:16am
It's neither interesting, nor a circumvention. In fact, it gets a rating of "Well, duh". Anyone with more than a room-temperature IQ knows all that since it's plainly spelled out in MSDN. You still need to elevate once
Edit: Blah typo, "to" not "you" |
Title: Re: (In?)Security of Linux Post by Pleonasm on Apr 28th, 2008 at 12:52pm Quote:
While it may not be a solution for NeoSmart Technologies' iReboot utility, it is easy to set a program to run at startup using Windows Vista’s Task Scheduler – and, optionally to specify that the job is to execute with “highest privileges.” I don’t see that as a "security weakness” of Windows Vista, however. |
Title: Re: (In?)Security of Linux Post by MrMagoo on Apr 29th, 2008 at 1:04am wrote on Apr 28th, 2008 at 2:16am:
Very good point. Malware authors would still need one elevation to get their code to run. They guys in the article made it seem like a bigger deal. |
Title: Re: (In?)Security of Linux Post by Pleonasm on Apr 30th, 2008 at 7:41am
It appears that the activities of iReboot were not as 'smart' as one might have believed…
Quote:
|
Title: Re: (In?)Security of Linux Post by Nigel Bree on Apr 30th, 2008 at 8:22am Pleonasm wrote on Apr 30th, 2008 at 7:41am:
UAC Elevation implies absolute full trust of the thing you're running, regardless of whether you do it up-front at install time or later at action time. All they did is lift the check, no more, no less. This part of things is a non-issue. The same caveat in effect applies to every OS which uses this particular UI model, which is pretty much all of them that exist nowadays. Pleonasm wrote on Apr 30th, 2008 at 7:41am:
Nonsense. Whether they actually made the user's systems vulnerable depends entirely on whether there's an exploitable bug in their service component which could be used to do other actions, but there's no evidence of that from the descriptions and their application is so mindnumbingly trivial that it's hard to see why there would be one. Certainly the IPC mechanism is a potential attack vector, and whether it's exploitable is something that likely will be reviewed by some competent third party, but it's inappropriate to claim that it's an innately bad technique since this is the way that most non-trivial things have to written for most OSes. It's unfortunate that the need, these days, to be seen to overdesign for "security above all else" for marketing reasons tends to create more problems than it solves; software inevitably becomes more complex than it otherwise would need to be, and complexity is the enemy of security - it introduces additional attack surface you need to to defend, and any complexity at all raises the chance of a mistake (and that's all most security flaws are, simple bugs that can be creatively magnified). But then, such unintended consequences abound all over the place. |
Title: Re: (In?)Security of Linux Post by Pleonasm on May 18th, 2008 at 11:09am
Oh, my – this isn’t good news: a highly significant flaw with a wide-ranging impact for users of Linux…
Quote:
|
Title: Re: (In?)Security of Linux Post by zmdmw52 on Jul 3rd, 2008 at 12:06pm MrMagoo wrote on Apr 1st, 2008 at 4:28am:
This link and this example give a brief idea of Bayes' rule. This likely is not the full explanation, but (IMO) is worth mulling over. |
Title: Re: (In?)Security of Linux Post by MrMagoo on Jul 4th, 2008 at 4:52pm
The articles seemed to indicate that contestants knew ahead of time what software would be running on each laptop, and some of the interviews with the winners suggested that they selected the laptop they thought they could most easily exploit to focus on in the research leading up to the contest.
I'm sure that Bayes' Theorem applies, but one would think that the open source Linux laptop should present a juicy target if you thought there was something easily exploitable in there. Obviously this is a fairly small sample of targets and attackers and a very artificial environment with time constraints. I think the only conclusion we can draw from this is that the Ubuntu laptop was not trivially exploitable. Other than that, it's just an interesting result. |
Title: Re: (In?)Security of Linux Post by MrMagoo on Jul 4th, 2008 at 4:58pm Pleonasm wrote on May 18th, 2008 at 11:09am:
A sad day event, for sure, and a big mistake by the responsible coders. But, it is worth noting that this flaw was introduced when the SSH package was modified by a Debian developer and was not present in the base version. So, this flaw is only present in SSH versions downstream of Debian. This does include the widely popular Ubuntu, but Red Hat, SUSE, and all the *BSD versions do not contain this flaw. Also, it was quickly fixed by all affected distros. |
Radified Community Forums » Powered by YaBB 2.4! YaBB © 2000-2009. All Rights Reserved. |