Linked by Igor Ljubuncic on Mon 21st Jun 2010 09:35 UTC
Privacy, Security, Encryption I've bored the readers of my personal website to death with two rather prosaic articles debating the Linux security model, in direct relation to Windows and associated claims of wondrous infections and lacks thereof. However, I haven't yet discussed even a single program that you can use on your Linux machine to gauge your security. For my inaugural article for OSNews, I'll leave the conceptual stuff behind, and focus on specific vectors of security, within the world of reason and moderation that I've created and show you how you can bolster a healthy strategy with some tactical polish, namely software.
Permalink for comment 430919
To read all comments associated with this story, please click here.
RE: Don't need anti-virus?
by wirespot on Mon 21st Jun 2010 15:43 UTC in reply to "Don't need anti-virus?"
wirespot
Member since:
2006-06-21

Viruses aren't really interested in gaining root access. They can do nearly anything as the user anyway - key-logging, sending spam, DDoS, and so on.


Note: don't call them viruses, call them worms. Viruses are a different beast (they don't use networking as a vector).

Second, it's not that easy. As an unpriviledged user you can NOT snoop on other users or open ports under 1024 (which is where most legitimate servers like to reside). But yes, you have network access so spam and DoS are valid points.

Besides once you have access to a user's account it is trivial to gain root - just change their path to point to a fake 'sudo' program which logs their password.


It's NOT trivial to gain root, if it was trivial the whole UNIX security would be worthless. The particular method you described is not really practical.

I think you mean social engineering -- tricking the user with a sudo window. Which can work (if the user doesn't bother to think why there's a sudo window all of a sudden).

But the point is moot. If there's malicious stuff running on your machine you're pretty much screwed. This is the 1st major vector of computer security: remote break-ins without user intervention. This is a very important important thing and THIS is why Linux is more secure than Windows: on Linux, everybody makes every effort so that the break-in doesn't happen. On Windows they let it happen and deal with it afterwards.

I'd bet most linux users install stuff from outside the repositories, and besides we've already seen examples of mirrors, and even source code being maliciously modified.


Granted, the dependence of the repositories is a weak link. But the repositories are distributed and closely watched by many people. I'd say they do a much better job than, say, Apple does with the AppStore. Not to mention they have the source code too.

As for installing stuff from other sources... this is the 2nd big vector: users bringing malware in themselves. And there's not much anybody can do about it. Unless the user understands not to install stuff from unofficial sources, all bets are off.

BTW, a Linux distro can easily close 99% of this vector by only allowing certain repositories and disallowing direct installation of package files (deb, rpm etc.) But it's not practical.

Most viruses work either by buffer overflow type exploits, or by tricking the user into running a program. File permissions aren't going to help in either case. By the way, you can easily execute non-'executable' binaries like this:

/lib/ld-linux-x86-64.so.2 ./a_file


For that to happen you need to already be able to run code. If you managed that you don't need that trick. On the rest, you're right.

But let me point out that when you're trying to trick someone into running malware, it's one thing if all it takes is to double-click (a universal action used for everything) or if you need to go into file properties and change some stuff. You have to admit that executable status in metadata is better than executable status as part of the file name.

Although I'd wager Ubuntu is becoming popular enough to count as a single target.

The real reason you don't need anti-virus on linux is because there are a very very small number of linux viruses. And that is almost certainly due to the fact that it has a 1% market share (and probably the diversity and skill factors to some extent).


That point of view is wrong.

Some people like to say that once a platform is more popular there's more (or more motivated) people attacking it so chances for break-in increase. That's bull. Remember that most of the servers of the world run some form of UNIX or Linux and that has NOT made them more vulnerable. There's no direct link between popularity and security.

There is an indirect one. Some of the installations are old and not updated. If you have lots and lots of installations, statistically the chances increase for running into an old one. It's a numbers' game. No relation to actual security.

The reason there is so much Windows malware is because it's easy for it to exist: lots of vulnerabilities, bad underlying security models (fixed with Windows 7, hopefully), unpatched machines, many propagation vectors. There's next to none for Linux because vulnerabilities get patched fast, almost all installations update by default and propagation vectors are few.

Well evidently not, otherwise there wouldn't be any need for security updates.


Not sure how you mean that. Since there are security updates, obviously somebody DID see the vulnerability (and fixed it). Ok, they didn't see it the first time, but second time is better than never. Between a platform with 1000 vulnerabilities which has updates for all 1000 and a platform with 2 vulnerabilities which leaves 1 open, I'll take the first.

Linux users are more skillfull.

True, I suppose.


Don't count on it. Educating users will not work in the long run. Most users are not skilled enough, and security is a highly skilled game.

The most you can teach them is not to install software from anywhere else but the official distros. The rest of the security job needs to be done by the OS and software with no user intervention.

Which will always leave social engineering as a backdoor. But that's valid anywhere.

Edited 2010-06-21 15:53 UTC

Reply Parent Score: 7