What makes Linux safer than Windows?

For discussions about security.
Message
Author
User avatar
droope
Posts: 801
Joined: Fri 01 Aug 2008, 00:17
Location: Uruguay, Mercedes

Re: Ant-virus working perfectly

#31 Post by droope »

drongo wrote:Err, how do you know? You can tell when your anti-virus catches a nasty and you can tell when you have a false positive. How do you know when it has missed something?

Tin-foil hats all round.
I do my calculations this way:

No bad news = Good news. :)
What seems hard is actually easy, while what looks like impossible is in fact hard.

“Hard things take time to do. Impossible things take a little longer.â€￾ –Percy Cerutty

[url=http://droope.wordpress.com/]Mi blog[/url] (Spanish)

Bruce B

#32 Post by Bruce B »

PaulBx1 wrote:
The system files are really read-only.
So, if you use Puppy as a live-CD, don't mount partitions or USB sticks, don't install it to hard-drive and don't use multi-session you're pretty much invulnerable!
Uh, I must be laboring under a misapprehension. :)

I thought any file was writable, with the new file (in the pupsave) superceding the one on CDROM, via unionfs or aufs. Thus, the only way Puppy can be invulnerable is if you never use the pupsave, and boot "pfix=ram". Or am I missing something?

As to discounting the lack of linux viruses out there "merely" because linux (or BSD) is not as popular; well, it's worked pretty well so far! Better than any anti-virus software. It is an advantage now. When linux hits 30% market share, then you can bring this one up.
Comments on Subjects Discussed

An unmounted partition can be copied bit for bit. It can be erased, formatted and ??

If I were concerned about viruses (malware), I wouldn't use a virus scanner. The reason being is I don't think the signature databases contain much if any Linux signatures.

I would, if I were very concerned, maintain my own md5sum database of files. With the checks looking for changes, new files and deleted files. The report used to alert me to things I might want to look into.

With Linux, files can be set so even root can't modify or delete them. Some of the key files used in traditional root kits can be set immutable and this would make it more difficult to install a traditional root kit.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#33 Post by Lobster »

Using something like this for penetration testing (sounds a bit erotic to me)
http://www.pentoo.ch/
should keep the tin hats happy for a while . . .

Let us know of any vulnerabilities
one or two of us might even care . . . :wink:
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

Bruce B

#34 Post by Bruce B »

Lobster wrote:Using something like this for penetration testing (sounds a bit erotic to me)
http://www.pentoo.ch/
Judging by the scope of things, you might be close. I did read this much at the site.
  • Q: My card is not supported, will you crack my girlfirend account password for me ?

    Probably not, unless you send pics of her first.
Take a little - give a little. Send pix of the eX - they wouldn't care.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#35 Post by Lobster »

So what is it that you Puppy users know that I don't? What makes you confident that you're not likely to get hacked, even running as root? I'd really like to know...
Most of us experienced Windows (security nightmare)
Other distros, so secure you can not even open your own CD drive - bah - humbug. :oops:
Then carefree Puppy usage :D
Carefree I like. :D

We have special tin hatted penguins to do our worrying.
They have been programmed this way (probably by the government) :shock:
Would a honeypot puppy be of use to anybody?
Maybe to our so secret everyone knows about it
black ops Puppy users 8)
http://puppylinux.org/wikka/BlackOps
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
clarf
Posts: 613
Joined: Wed 13 Jun 2007, 19:22
Location: The old Lone Wolf

#36 Post by clarf »

A short answer for the initial question. Windows never was designed with security in mind.

If you read:

http://www.computerworld.com/s/article/ ... geNumber=1

Then you´ll see that Microsoft had released so many security patchs for each Windows versions that you´ll conclude this software quality standards and design are very poor for a secure OS.

It´s true that recently Microsoft redesigned the architecture of Windows and Microsoft have many defense-in-depth improvements in Windows Vista. Even the level of security alerts are fewer than XP:

Image

There are other technologies like Kernel Patch Protection (protects code and critical structures in the Windows kernel from modification), user account control (Microsoft called UAC one of the "most controversial" features of Vista for the thousands of unnecessary prompts fo each system change) and others in the way for Windows 7:

http://windowsteamblog.com/blogs/window ... force.aspx

But those technologies are immature, problematic and the better ones are aimed for Server versions (the expensive line), future releases (x64 architectures) and are not available for end users using standards Windows versions.

That's why Linux which is based on BSD Unix at its heart, are fundamentally safer. Their design were multi-user, networked systems to support Server machines.

clarf

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#37 Post by PaulBx1 »

Perhaps I wasn't clear. If you haven't mounted any partitions you'll have nowhere to save the pupsave file. So if you boot a live-CD as puppy pfix=ram and you have no pupsave, there is nothing writable on the CD to change.
Yes, but who uses Puppy this way? Almost everyone full installs it or uses pupsaves or multisessions. Pfix=ram is a diagnostic function, not the way people work normally. OK, maybe for online banking, it might make sense to put up with the inconvenience, but that would be about it. And that wouldn't protect you from malware that came in during that same session.

Multisession ability to throw away the last sessions does not help you if the malware is quiet. A keylogger for example. You have to KNOW there is a problem, to throw away sessions.

No, I think this claim that Puppy's liveCD nature protects it, is almost completely bogus. The instant unionfs allowed everything to be writable, that evaporated. Even before then, certain directories could harbor malware. But now when you run the "ls" command, who knows what you are really doing?

Maybe we need to make that "tripwire" program a standard feature of Puppy. It would also be nice if we could control the directories that are writable. That is, nothing is writable in e.g. /bin unless we give a go-ahead first. And the directory where tripwire is located is not writable at all (comes only from the CD).

This may be a bit too tinfoil-hat-like for Barry though. :wink:

BTW, if you go look at the release notes for each version of OpenBSD, it's amazing how many vulnerabilities they plug each release, and they have been focusing on security for a very long time. Linus even called them a bunch of masturbating monkeys. :lol: One would think they'd run out of vulnerabilities at some point, but I guess not...

User avatar
drongo
Posts: 374
Joined: Sat 10 Dec 2005, 23:35
Location: UK

pfix=ram

#38 Post by drongo »

Who uses Puppy this way? Well I do, a lot of the time, depending on which machine I am using. I have never done a full or frugal install of Puppy in the five years or so I have been using it.

It always surprises me when people on this Forum claim to know how everyone else uses Puppy. You don't know, I don't know, Barry doesn't know, nobody knows. I have no idea if most people use full, frugal, multi-session or whatever. It started life as a live-CD and that is mostly how I use it. Some machines I use may have a pupsave, but most don't.

I don't know what the rest of you do, I suspect some of the longer-term users still use pfix=ram. But I really don't know, and neither does anybody else.

If I use pfix=ram I don't need the tin-foil hat.

I don't do online banking and probably never will.

User avatar
sikpuppy
Posts: 415
Joined: Sun 29 Mar 2009, 05:54

#39 Post by sikpuppy »

If linux had a unified set of default software and settings, as does Windows, it would be just as insecure (or secure).

Because each installation of Linux differs by at least some degree, unless it's on identical computers, any malware doesn't have much of a chance to propagate beyond that same setup.

I suppose I get a bit tired of people claiming Linux is so secure that it never gets hacked, because in fact it does get hacked, and for the reason I mentioned before. Large corporations and governments who use Linux often have many identical machines, running identical Linux setups. Since they are all up to the same "patch" level for vulnerabilities then it stands to reason that they are all vulnerable.

However, for the average user on a small network this generally isn't an issue, and that is a reason I can see that people feel (for the wrong reasons) that Linux is necessarily more secure than Windows.
ASUS A1000, 800Mhz PIII Coppermine!, 192Mb RAM, 10Gb IBM Travelstar HDD, Build date August 2001.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#40 Post by Sylvander »

1. "I don't do online banking and probably never will."
There's no way I'd be without my online banking; it's just so convenient.
The stuff I can do with it is just SUPERB! [Just like Puppy]

When I went looking for a more secure operating system than Windows, to use for online banking...
A friend suggested I give Puppy Linux a try.
I'd tried a number of Linux distros, and Puppy was the 1st that made we want to stay with it; with the others it seemed to me like pulling teeth just to get the simplest things done.

I'm happy that the techniques I use in conjunction with Puppy provide an adequate level of security.

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#41 Post by PaulBx1 »

It always surprises me when people on this Forum claim to know how everyone else uses Puppy. You don't know, I don't know,
Yeah, but we can guess. :) Most people probably work on one or maybe two computers with Puppy. Why would they NOT use the persistent storage feature of Puppy? Because they enjoy setting up their networking over and over? Boy, the Network Wizard must be a lot of fun, if they like to do that. And without persistent storage, there is no saving of browser bookmarks or emails or anything else like that.

Even if people who boot pfix=ram all the time were as high as 10% (very doubtful - not even you do it all the time), you are still ignoring 90% of the users with your solution.

Q.E.D., Puppy is really like any other linux distro with respect to security; it is not read-only (except with the quibble, if that it is, about root logins).

User avatar
drongo
Posts: 374
Joined: Sat 10 Dec 2005, 23:35
Location: UK

Minority report

#42 Post by drongo »

It's not my solution! My point is merely that, as originally designed, Puppy is fairly safe even with a default root user. With no persistent storage it's about as safe as you can get with a reboot clearing out all nasties.

Mind you earlier Puppies seemed to boot faster (or that may just be my faulty memory) so rebooting was not much of a chore.

You get quite good at using the Network Wizard after the first hundred times.

If people want to install a live CD that is their lookout. I'm still intrigued enough by the possibility of a live-CD OS to be sad enough to want to use it that way. The only thing I ever saw that had this capability before Knoppix was Solaris on a SPARC workstation in about 1995 (boy, were those guys ahead of their time - and very expensive.)

If you do a full install and run as root I'd say you are probably not that secure, except that Puppy has a different file structure to the traditional Linuxes so you are relying on security through obscurity. It seems to be similar to Slackware in some ways, so if there were a Slack-specific virus/logger/rootkit/whatever I suppose that might be a problem.

Recent events on one of the websites indicate that we have now raised our heads above the parapet enough to be a target.

I think I'll erase pupsave now! Now where is my tinfoil hat?

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#43 Post by Pizzasgood »

Playing the devils advocate: Rather than rerun the network wizard (and rather than always type in pfix=ram) a chronic pfix=ram'er could simply make a remaster that has the network preconfigured and pfix=ram set up by default. Include some bookmarks and home page while he's at it.

Those few steps can go a long way toward making pfix=ram mode tolerable.

(Assuming the same machine/network were being used each time. This isn't as useful to a nomad.)
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
drongo
Posts: 374
Joined: Sat 10 Dec 2005, 23:35
Location: UK

Chronic pfix=ram'ers

#44 Post by drongo »

That's a very good suggestion Pizzasgood. Even if you used two or three wireless hotspots it would work fine.

Back when new versions of Puppy were coming out every couple of weeks I guess it would have been too much trouble. Now there is a slightly more sedate pace it would be a good idea.

Never thought of myself as a chronic pfix=ram'er before. Do I need help?

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#45 Post by Pizzasgood »

If you typically use your OS in a mode that does not retain malware, you probably don't need help. Or at least, less help than the average computer user.....
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#46 Post by PaulBx1 »

If people want to install a live CD that is their lookout. I'm still intrigued enough by the possibility of a live-CD OS to be sad enough to want to use it that way.
Well I use it that way, too. But with persistent storage (pupsave). I don't deceive myself I'm getting a read-only installation by doing that.

Pizzasgood has a solution to ease the pain of going full read-only. IIRC not everything configured gets copied over in a remaster though.

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#47 Post by Pizzasgood »

No, it doesn't. But the last time I used the remaster script it had a part where it paused and told you where the build tree was (somewhere in /tmp) to give you a chance to make manual changes that would not be discarded.

Nobody has to be limited by the remaster script. My Edit-SFS program has been around for three years now (and it just got a complete rewrite a month or so ago and is much nicer now). I think a couple other people have written similar tools over the years. And even without those, it's not all that hard to just run the commands to extract and rebuild a .sfs file by hand.


As for actually locating the changes to include in the remaster, I believe the network configuration is under /etc/network-wizard. But if you're just doing a personal remaster to be used on the same machine/network, you may as well just grab /etc in it's entirety. There's nothing in there that absolutely should not be included in that sort of remaster, unless you use wireless or dialup and don't want the key/password saved inside the CD as plaintext. This way you also get the keyboard, mouse, video, and timezone configurations too.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
mojo558
Posts: 11
Joined: Wed 01 Apr 2009, 22:28

linux (Puppy) Security

#48 Post by mojo558 »

I may be considered to be "paranoid" by making the statement I am about to make here but, I've never been considered to be the brightest penny in the roll either.
I know of a VERY reputable Web-zine which broke the news that MS was installing software (I.E. "updates') on users machines even though their machine's security settings didn't allow it. IT WAS TURNED OFF and still MS installed software.
The next day they had a fire in their building and it shut them down.
MS is a ... what ......$800 billion company ????
They need to protect their assets. e.i. Windows . Which is a work in progress and always will be. MS made their money by selling this product. If they don't keep selling it and Coming up with bigger and better (Win 2,3, 95, 98, 2000, Milineum, XP , 7 , ect......) they would eventually go broke. So, how do you up-sell a product to the public ???
The newer system works "Better" it is more "Secure" and user friendly.
What convinces them ??
Viruses, Malware, S P Y WA R E and here is the kicker.
You ready for this ??
MS has a "Security" department manned with code writers whose sole job is to break Windows.
They get paid to intentionally write bad code.
You cant possibly believe that there are actually enough common people knowledgeable enough to produce the MILLIONS of viruses, etc that irritate you enough that you cant wait till something "better" comes out. And they are really successful at it.
That's part of why Puppy and Other Linux distros are more secure,...they are FREE.

User avatar
Pizzasgood
Posts: 6183
Joined: Wed 04 May 2005, 20:28
Location: Knoxville, TN, USA

#49 Post by Pizzasgood »

You cant possibly believe that there are actually enough common people knowledgeable enough to produce the MILLIONS of viruses, etc that irritate you enough that you cant wait till something "better" comes out. And they are really successful at it.
I haven't done any malware writing (it's on my to-do list though (for educational purposes!)). But considering what I do know about programming in general, and considering how many people there are on this planet who have computer and internet access, it doesn't seem remarkable to me. Also, I'm willing to bet that there really aren't that many viruses. Probably a lot of them are just rehashes of eachother, so that the total number could be knocked down by an order of magnitude or two.

I don't think the people who work at MS intentionally write insecure code, so much as that they intentionally don't write much secure code. Because writing and testing secure code takes time, and time is money. So they write code that is merely good enough, release it, and then patch it as needed later.

Therefor, I do agree with this statement anyway:
That's part of why Puppy and Other Linux distros are more secure,...they are FREE.
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]

User avatar
xman
Posts: 144
Joined: Thu 24 Sep 2009, 06:31

#50 Post by xman »

Answer isn't browser?

Pwn2Own 2010 there is still no trace of Linux as possible target. Is it too harder to find exploits for Linux or a non commercial operating system has no interest for exploit hunters?

What is the Champion saying?
http://www.oneitsecurity.it/01/03/2010/ ... r-pwn2own/

Pwn2Own 2010 first day: Safari, IE8 and Firefox all fall but Chrome stands still.

Post Reply