GUi Uncomplicated FireWall.

Back in college, the course on Operating Systems had this to say on Linux security:

"Linux is both the least and most secure OS there is. It all depends on how much time and effort the admin puts in to properly configuring it."

Linux also ships with more outdated and insecure packages, than the latest version of Windows.

7. Linux users are more skillfull.

True, I suppose.

One of the biggest security concern for home users is to protect their data from themselves. Baking up your data and running with unprivileged account helps a lot.

Firewall won't save you from anything by itself

Except clamav because thats crap on both.

Firewall won't save you from anything by itself and the only meaningful reason of using fws is when certain hosts need access to certain service. On a workstation you can pretty much disable/remove every network daemon like ssh, apache, mysql etc. or if you need them to develop stuff then just bind them to localhost.

Well that's not really true as, generally speaking, Linux distros ship with more secure defaults than Windows does.

Viruses aren't really interested in gaining root access. They can do nearly anything as the user anyway - key-logging, sending spam, DDoS, and so on.

Besides once you have access to a user's account it is trivial to gain root - just change their path to point to a fake 'sudo' program which logs their password.

I'd bet most linux users install stuff from outside the repositories, and besides we've already seen examples of mirrors, and even source code being maliciously modified.

Most viruses work either by buffer overflow type exploits, or by tricking the user into running a program. File permissions aren't going to help in either case. By the way, you can easily execute non-'executable' binaries like this:

/lib/ld-linux-x86-64.so.2 ./a_file

Although I'd wager Ubuntu is becoming popular enough to count as a single target.

The real reason you don't need anti-virus on linux is because there are a very very small number of linux viruses. And that is almost certainly due to the fact that it has a 1% market share (and probably the diversity and skill factors to some extent).

Well evidently not, otherwise there wouldn't be any need for security updates.

Linux users are more skillfull.

True, I suppose.

[q]It's NOT trivial to gain root, if it was trivial the whole UNIX security would be worthless. The particular method you described is not really practical.

I think you mean social engineering -- tricking the user with a sudo window. Which can work (if the user doesn't bother to think why there's a sudo window all of a sudden).

Hello guys,

Dedoimedo here. First, this is the first article posting here, so please excuse the few rough points, like the missing space in paragraph one and such, will be sorted out. Be gentle.

Now, thanks for the comments.

Linux security: we can argue about this to death, but the point is: it's all about statistical probability.

I think the home usage security card is seriously overplayed, regardless of the operating system used and if you get it right, the operating system becomes a non-issue. Real security is agnostic.

Exploits exist, vulnerabilities exist. On the same note, huge meteors exist and cosmic ray bursts exist. Likelihood of witnessing one before imminent doom? Not very high.

If you don't go about wildly executing stuff, then you won't see the pixel devils take over your machine.

Cheers,
Dedoimedo

And what do you mean by: This is exactly the mistake that Microsoft made in 80s, 90s?
Dedoimedo

it's all about statistical probability.

the home usage security card is seriously overplayed

Real security is agnostic

Exploits exist, vulnerabilities exist. On the same note, huge meteors exist and cosmic ray bursts exist. Likelihood of witnessing one before imminent doom? Not very high.

Even if SSH wasn't so wonderfully useful

I'd still recommend firewall rules if only to detect port scanning and other network oddities.

If it has a network connection, it should have a firewall in place.

I disagree.

I truly believe what I say and it's as simple as that. Security (for home) is no biggie. In fact, it's boring.

Windows OS is neither the disaster nor the blessing that you might read about here and there. If you pay attention, most boxes were compromised by: no patches and ancient vulnerabilities, deliberate execution of code, user mistakes, not any special inherent flaws in the design.

Dedoimedo

"Well that's not really true as, generally speaking, Linux distros ship with more secure defaults than Windows does.

May I remind you that I stated "more secure defaults than Windows" and not that "Linux's defaults are perfect"

There are a lot of network based attacks that computers without firewalls are vulnerable to.

man in the middle attacks, spoofing, etc.

"There are a lot of network based attacks that computers without firewalls are vulnerable to.

man in the middle attacks, spoofing, etc.

"There are a lot of network based attacks that computers without firewalls are vulnerable to.
man in the middle attacks, spoofing, etc."

I don't see how firewall would help you in a MITM attack. There is a publicly available tool called ZXARPS which is able to intercept/change traffic between hosts in the same broadcast domain (eg between yout laptop and default gateway), try to defend your box against that with iptables

"It also keeps ports that shouldn't be exposed to the internet away from the internet. "

The thing is that you are almost always behind a NAT device whether you using your laptop in a corporate network or just at home behind a dsl router but don't get me wrong having a firewall in situations where you for example have a samba server running on your laptop what you need to access when you are home is ok.
Using premade firewall rulesets however what the user in many cases don't understand and probably just an "input only" ruleset doesn't help much.

So Windows 7 doesn't give the default user accounts full administration rights?

Windows has come a long long way, there's no denying that. And I'm not disputing that security is an ongoing battle in which users shouldn't get complacent regardless of the OS they run.

I just don't see the point in lying by saying all OSs are equally secure by default. The simple fact is some OSs do ship with better defaults. However, and as I've already stated, none of that really makes much difference if you stick an experienced idiot in front of the keyboard.

Firewalls are over-rated, both on workstations and standalone gateways.

Off-topic but this is especially common in corporate environments where many managers seem to think that firewalls (especially Cisco ones) are magic amulets that will protect you from all evil.

"I've bored the readers of my personal websiteto death..."

Not the "websiteto" bit. I think that should be reader (singular)?

:-)

This seems to be an article about how great your own piece of software is... if OS news is going to let people advertise they could at least tell people about it first like: Advertisment follows...

They aren't more secure than Windows anymore. At one time, sure. Now? No.

echo alias sudo='sudo do bad stuff >/dev/null 2>&1;sudo' >>~/.bashrc

I agree with pretty much everything else you said though. Malicious people that want in don't necessarily need in "right now", they wait patiently for it.

It really would be a lie to say that they were all secure by default, because none of them are.

Basically, the Windows userland is a security nightmare.

This is true up to a point. I'd bet most linux users install stuff from outside the repositories, and besides we've already seen examples of mirrors, and even source code being maliciously modified.

The Windows applications come in huge numbers, they are mostly closed source and they are not updated in a centralized manner. Plus, Windows users consider it normal to download stuff off any website they run into, not to mention downloading and running dubious cracks and keygens. What's more, they've become complacent about having malware in their machine.

Contrast this with Linux apps which are fewer, mostly open sourced, come 99% from trusted repositories, the update system is centralized and automated, and there's usually no need to go and install cracks. And a Linux user who finds a single piece of malware on their machine will be absolutely horrified.

"May I remind you that I stated "more secure defaults than Windows" and not that "Linux's defaults are perfect"