Linux security

[Alan McKinnon]

On Saturday 29 April 2006 20:31, Daniel Carrera wrote:
> Alan McKinnon wrote:
> > The benefit with Linux is that it's
> > harder to deploy the malware in the first place and it's much
> > harder to get it to be executable (execute bit and umask).
>
> Ok, I know the execute bit part. What makes it harder to deploy?
> Are we just relying on Firefox being secure?

All the points raised so far on this thread are basically deployment 
issues, from the wide diversity of clients (too many targets = 
shotgun approach slows down infection rates) to the side effect of 
OSS having more eyes on it to the execute bit to users not running 
with admin rights.

These all make it harder to get the malware onto the machine in an 
executable format than the comparable things for Windows. So it's a 
multi-layer defense.

> > If you ever have this debate with an MS fundie, I suggest you
> > side step that problematic question by (validly) pointing out
> > that the other guy is setting up a straw man.
>
> Where's the strawman? It seems like a valid question to me (the
> question is not "is Linux perfect?" but "is it less vulnerable?").

Your hypothetical debate moves through deployment issues onto what 
happens when the software actually runs. You have the MS guy saying 
that once that happens your personal user data is essentially toasted 
(and you go <gulp> and don't have an answer). The strawman is 
assuming (and maybe claiming) this has something to do with Linux 
being less secure than it's touted to be. It isn't, at that point 
Linux, Windows and every other OS I've seen will all let you destroy 
your own data with equal efficiency. So it becomes a silly argument 
where the OSes are actually equal. No, strike that, I just thought of 
one small benefit you could implement in Linux: create /home/backups 
readable and accessible only by root, and add hardlinks there to 
files you want to protect against deletion. Malware can then 
'rm -rf ~' all it wants but the files are not actually deleted. A long 
winded approach to be sure and it might take some time to set up but 
after that cron is your friend.

That's why I say you should keep the debate to the question of 
preventing the malware from being deployed at all, and Linux provides 
many tools to do just that. Granted, apps like Firefox can be set up 
to download and run just about anything which does erode your 
security, but I guess we have to live with that possibility (just not 
live with having it run like that out the box...)

-- 
If only you and dead people understand hex, 
how many people understand hex?

Alan McKinnon
alan at linuxholdings dot co dot za
+27 82, double three seven, one nine three five