Radified Community Forums - (In?)Security of Linux

MrMagoo

Übermensch

Offline

Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)

Back to top

	(In?)Security of Linux Feb 9^th, 2008 at 8:50pm This thread is a split off of "Windows as secure as Linux", which has grown large enough to be a potential resource abuser. http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1161963588
	IP Logged

Rad

Radministrator

Offline

Sufferin' succotash

Posts: 4090
Newport Beach, California

Back to top

Re: (In?)Security of Linux
Reply #1 - Feb 9^th, 2008 at 8:58pm

I don't think it's a resource problem, much as a potential for losing part of it, as we did with the other thread, which grew long.

Wonder if there's a way, beyond database bask-ups, to back-up an individual thread.

I'll ask over at the YaBB forums.

http://www.yabbforum.com/community/YaBB.pl?num=1202612740/0

Again, excellent thread. (Go Linux!)

IP Logged

MrMagoo

Übermensch

Offline

Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)

Back to top

Re: (In?)Security of Linux
Reply #2 - Feb 9^th, 2008 at 9:13pm

Quote:

Perhaps it is just a reflection of my own wry sense of humor, but I found the historical connection of “Linux” to “hacker” surprising. Surely, Torvalds must have been aware of the evolving commonplace and negative understanding of the term at the time, even though it may not have corresponded to his own interpretation. If I were creating a new software product—even today—and hoped for it to be widely adopted among consumers and businesses, I certainly wouldn’t “advertise” it as a tool “by a hacker for hackers.” Very bad marketing, at a minimum.

People deep in the technical community such as Linus resent the morphing of the term hacker, and still use it in its old form - partially to spite the non-technical community that doesn't understand the *true* meaning of the world and partially because they like it they way it is.

Also, Linus has never been concerned with selling Linux to anyone. He makes frequent reference to the fact that Linux doesn't have a marketing department, and implies that Linux development proceeds faster because it doesn't advertise or make attempts to put on a show. Linus has a very purely functional view of how code should be written and how it should work - hence 'written by a hacker for hackers'. He never worried about how an average user such as yourself might perceive Linux; His only concern has always been making it work well.

Fortunately, Linus still focuses his work on the kernel, where functionality is really all that is important. Many other coders who understand the value of usability and presentation have joined various open source projects to develop the user facing part of the OS, which is how Linux has become prepared for growth in its user base outside of the technical community.

To this day, Linux has no marketing arm and relies on grass-roots marketing from its users. As we've discussed in other threads, Linux continues to spread at a phenominal rate percentage-wise, although its market share won't likely become significant for several more years. Of course, Linux is used in many places besides the desktop. From servers to cell phones, and movie theaters to the space shuttle, the success of Linux is actually quite impressive for a program started by one guy with no financial backing and given away to the world for free, so it would seem that some markets do value functionality over glossy marketing.

IP Logged

Rad

Radministrator

Offline

Sufferin' succotash

Posts: 4090
Newport Beach, California

Back to top

	Re: (In?)Security of Linux Reply #3 - Feb 9^th, 2008 at 9:15pm He is something of a demi-god, no? http://en.wikipedia.org/wiki/Linus_Torvalds
	IP Logged

MrMagoo

Übermensch

Offline

Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)

Back to top

	Re: (In?)Security of Linux Reply #4 - Feb 9^th, 2008 at 9:16pm Lots of people listen when he speaks, that's for sure.
	IP Logged

MrMagoo

Übermensch

Offline

Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)

Back to top

	Re: (In?)Security of Linux Reply #5 - Feb 10^th, 2008 at 3:04pm Off-Topic replies have been moved to this Topic.
	IP Logged

Pleonasm

Übermensch

Offline

Posts: 1619

Back to top

	Re: (In?)Security of Linux Reply #6 - Feb 10^th, 2008 at 4:39pm Quote: …an average user such as yourself Ouch! Quote: He is something of a demi-god, no? Consider this comment by Torvalds: “My name is Linus, and I am your God.” Humility doesn’t appear to be a priority.
	ple • o • nasm n. “The use of more words than are required to express an idea” IP Logged

MrMagoo

Übermensch

Offline

Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)

Back to top

Re: (In?)Security of Linux
Reply #7 - Apr 1^st, 2008 at 4:28am

The Can Sec West Security Conference last weekend demonstrated a point that I think got lost in this thread.

http://www.linux.com/feature/131059

A laptop running MacOS, Vista, and Ubuntu were set up for contestents to attempt to hack. After 3 days, the Ubuntu laptop was the only one left. On the surface, this indicates that it was more difficult for contestents to find a security flaw in Linux than the other two OS's, however, it is difficult to say how many contestents attempted to exploit each OS.

I think the more interesting point the conference demonstrated, which we made earlier but neglected to emphasize, is that applications and user's habits are exploited far more often these days than an OS itself. On the first day of the contest, the exploit had to be directly against the OS. No contestants even attempted to exploit any of the laptops. On the second day, contest directors could be directed to click on links in web pages or open files by the contestants, and that's when the laptops started to fall.

No matter which OS is more secure, all OS's are far more secure than applications and ignorant users.

IP Logged

Pleonasm

Übermensch

Offline

Posts: 1619

Back to top

	Re: (In?)Security of Linux Reply #8 - Apr 8^th, 2008 at 12:08pm Thoughtful commentary on the advantages/disadvantages of several operating systems is in this article: OS Smackdown: Linux vs. Mac OS X vs. Windows Vista vs. Windows XP
	ple • o • nasm n. “The use of more words than are required to express an idea” IP Logged

MrMagoo

Übermensch

Offline

Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)

Back to top

	Re: (In?)Security of Linux Reply #9 - Apr 28^th, 2008 at 1:42am Interesting article that details how Vista's UAC 'Security System' can be complettly circumvented: http://neosmart.net/blog/2008/ireboot-and-working-around-uac-limitations/ I'm glad these guys were able to get their application to run, but it also shows that the bad guys can get THEIR applications to run, too.
	IP Logged

Nigel Bree

Ex Member

Back to top

	Re: (In?)Security of Linux Reply #10 - Apr 28^th, 2008 at 2:16am It's neither interesting, nor a circumvention. In fact, it gets a rating of "Well, duh". Anyone with more than a room-temperature IQ knows all that since it's plainly spelled out in MSDN. You still need to elevate once ~~you~~ to get your service installed. Edit: Blah typo, "to" not "you"
	IP Logged

Pleonasm

Übermensch

Offline

Posts: 1619

Back to top

Re: (In?)Security of Linux
Reply #11 - Apr 28^th, 2008 at 12:52pm

Quote:

With the current Windows Vista security models, Microsoft can claim that Vista blocks system-modification tools from running at startup; but the truth is, there are still many ways to get them to run.

While it may not be a solution for NeoSmart Technologies' iReboot utility, it is easy to set a program to run at startup using Windows Vista’s Task Scheduler – and, optionally to specify that the job is to execute with “highest privileges.” I don’t see that as a "security weakness” of Windows Vista, however.

ple • o • nasm n. “The use of more words than are required to express an idea”

IP Logged

MrMagoo

Übermensch

Offline

Resident Linux Guru

Posts: 1026
Phoenix, AZ (USA)

Back to top

	Re: (In?)Security of Linux Reply #12 - Apr 29^th, 2008 at 1:04am Quote: You still need to elevate once you to get your service installed. Very good point. Malware authors would still need one elevation to get their code to run. They guys in the article made it seem like a bigger deal.
	IP Logged

Pleonasm

Übermensch

Offline

Posts: 1619

Back to top

Re: (In?)Security of Linux
Reply #13 - Apr 30^th, 2008 at 7:41am

It appears that the activities of iReboot were not as 'smart' as one might have believed…

Quote:

The authors of iReboot, a program that sets which OS you want to reboot into, thought they were really clever when they rewrote their program so that Vista users didn't have to go through a UAC (User Access Control) check every time they ran it. Instead what they did was to make the users' systems vulnerable to attack betray their inexperience with Windows programming.

The authors had a classic bad Windows program to begin with, in that it required Administrator access, but their inaccurate assumption was that everyone on XP runs as Administrator anyway. On Vista the default is different, and even Administrators have to click a button to continue when executing privileged actions. So they rewrote their program into two halves, one a user mode interface, and the other a Windows service running in a privileged user context such as SYSTEM. The two communicate using standard IPC (interprocess communications).

They view what they did as programming around UAC, but it's not as clever as they think. In fact, the installer for their program required Administrator access and the user has to consent through Administrator access to the installation of a service like this. This means that the user has to trust the program that they install in this case, whether it's a legitimate service or malware.

Source: New Windows Utility Claims To Bypass UAC

ple • o • nasm n. “The use of more words than are required to express an idea”

IP Logged

Nigel Bree

Ex Member

Back to top

Re: (In?)Security of Linux
Reply #14 - Apr 30^th, 2008 at 8:22am

Pleonasm wrote on Apr 30^th, 2008 at 7:41am:

This means that the user has to trust the program that they install in this case, whether it's a legitimate service or malware.

UAC Elevation implies absolute full trust of the thing you're running, regardless of whether you do it up-front at install time or later at action time. All they did is lift the check, no more, no less. This part of things is a non-issue. The same caveat in effect applies to every OS which uses this particular UI model, which is pretty much all of them that exist nowadays.

Pleonasm wrote on Apr 30^th, 2008 at 7:41am:

Instead what they did was to make the users' systems vulnerable to attack

Nonsense. Whether they actually made the user's systems vulnerable depends entirely on whether there's an exploitable bug in their service component which could be used to do other actions, but there's no evidence of that from the descriptions and their application is so mindnumbingly trivial that it's hard to see why there would be one. Certainly the IPC mechanism is a potential attack vector, and whether it's exploitable is something that likely will be reviewed by some competent third party, but it's inappropriate to claim that it's an innately bad technique since this is the way that most non-trivial things have to written for most OSes.

It's unfortunate that the need, these days, to be seen to overdesign for "security above all else" for marketing reasons tends to create more problems than it solves; software inevitably becomes more complex than it otherwise would need to be, and complexity is the enemy of security - it introduces additional attack surface you need to to defend, and any complexity at all raises the chance of a mistake (and that's all most security flaws are, simple bugs that can be creatively magnified).

But then, such unintended consequences abound all over the place.

IP Logged

	Welcome, Guest. Please Login