Linux Security
30 May 2009I was reading an interesting blog post about the effects of malware on your computer, and found two gems of comments. The second is a direct response to the first:
The suggestion:
Anyone running Windows volutarily is asking to be hacked. Do yourself a favor- install Linux on a spare machine and try it out. It's friendly, and free! Check out http://www.ubuntu.com/ or http://www.ubuntu.com/getubuntu/downloadThe response:
Changing your operating system isn't the answer. You don't get security through obscurity. For most people, what you propose would add a great deal of complexity (different ecosystem, learning curve of different system, different hardware/software compatibility, etc.) You would be better served learning how to properly secure and operate a Windows based system. Start with the list below:
1. Use a non-admin (limited user) account for daily use
2. Use a firewall (preferably a hardware firewall at the perimeter and a software firewall on each computer)
3. Keep the system fully patched (includes ALL software)
4. Use Antivirus/Antispyware software that is configured to update itself DAILY
5. Practice safe computing (ex. use caution with downloaded files and e-mail attachments, don't click on links in e-mail, browse wisely, etc.)
6. Routinely (at least monthly) backup your data to external media (CD-R, DVD-R, external hard drive, etc.)
7. Install ONLY required software (reduces system attack surface and minimizes patching). AVOID file sharing software! (too risky to system)
8. Optional (but highly recommended):
a.Use a blocking HOSTS file (http://www.mvps.org/winhelp2002/hosts.htm)
b.Enable Windows Automatic Updates (Auto download and install)
c. Use an e-mail client instead of webmail, configure it to “Read all e-mail in plain text”
There are a few points here in the response that are so rediculous and so ignorant that they require public mockery. First off, Linux is not "security by obscurity", that's exactly the security model used by proprietary software like Microsoft. The hope is that if criminals can't see the source code, that they won't be able to find the holes. Apparently, some people think this model works well enough. Here are the rest of the points:
- Talk about the troubles of changing environments, try using Windows as a non-adminstrator user sometime! It's like night and day in terms of usability, especially if you're not the kind of power user who knows how to get into administrator mode to do stuff like install new software. Let me put this into perspective: My grandfather has used a computer for a few years but is by no means "computer literate", much less "computer saavy". His old Win95 box was so overrun by viruses and malware that it was absolutely unusable. So I reformatted the computer to use Fedora instead, and now he has no problems whatsoever. I set up his email account in thunderbird, and I set up his list of bookmarks in firefox, and he was up and running immediately, with no learning curve and no hardships whatsoever. Not only was the transition painless and immediate, but his computing experience from that point forward was far superior to what it would have been otherwise: No invasive anti-virus to deal with. I'll talk more about the evils of antivirus later.
- A hardware firewall "at the perimeter" and a software firewall "on each machine"? Seems like a little much for Joe-Schmoe PC user. Maybe we should all be digging foxholes too, and building reinforced concrete bunkers for our networks. And he leaves out the point about how these firewalls would need to be properly configured because the "default allow" methodology behind most firewalls is inherently faulty anyway. Plus, when the firewall decides that it's not going to allow the social networking application du jure, your average non-techie computer user will be pretty unhappy with their computing experience. Sorry, but throwing more firewalls at the problem is not the solution for most people.
- Do me a favor: Figure out where "ALL software" on your system comes from, and figure out how to independently update all of it. I'm a pretty saavy computer user, and I doubt I could track down the sources for all the software that's on my computer currently, much less find ways to reliably update them all. There are a few programs on my machine that automatically update themselves, but then you run into problems where your automatic updater runs afowl of your firewall (as happens with my Java updater here at work). Also, tell me where you turn when an update to a device driver breaks one of your programs? Or when updating an application "broke the internet"? In most Linux distros, it's as easy as opening the update manger and letting it track and update all your software for you (and you can even set it to run automatically without interference from the system firewall). On Windows, you're up shit creek with this, and there's no two ways about it.
- Antivirus software is the bane of modern computers. I refuse to use it myself, because of the horrible performance penalties you have to pay with it. To give some perspective, my work computer, which is an Intel Core 2 Duo with plenty of RAM boots up in just under two minutes without antivirus installed. With Antivirus, it takes nearly 10 minutes just to turn on. Plus, when it does turn on it's less responsive in many situations. All the while it's popping up nagware "reminders" about the state of my subscription. This completely ignores the fact that antivirus software is almost perpetually out of date because threats usually aren't identified and neutralized until after they are released into the internet. This creates the illusion that you're safe, when so often you are not. Sorry, but antivirus is so much worse then the problem it claims to solve.
- The definition of "safe" computing differs from platform to platform, but in general this does hold equally for all systems. This so far is really the only good advice this poster has provided, and it is in no way an argument for using Windows over Linux.
- Backing up really has nothing to do with security. This is especially true when you think about how often Windows' "autorun" feature has been used as an attack vector by viruses. I might never put another USB flash drive into a Windows computer for as long as I live, I've learned that lesson the hard way.
- What counts as "required"? I do image editing every now and again, is my photo editor a "requirement"? Is FireFox a requirement when we already have IE installed? What about a code editor that's any more advanced then notepad, is that required? What about the tools that I use to stay in touch: Instant messaging, IRC, and Skype? what about office/productivity software? And what about people who's primary reason for having a computer is to share media with friends and family? With a single-purpose server machine, that's one thing. With a family media-oriented PC, that's another entirely. We all know that the safest way to use your computer is to not use it at all, but in this case abstinence is not the solution to the problem.
- Monkeying with your HOSTS file is far too advanced and too risky for your average non-power-user, which is 99% of everybody. Automatic updates are great until they download WGA without your consent and then falsely identify your computer as being pirated, and then restrict your access. I've seen this happen on more then one occasion to people who owned legitimate copies and were technically inable to resolve the situation themselves. I can't imagine that using an email client is any safer then using a good webmail app, especially when most webmail clients have built-in abilities to open Microsoft Office documents, which themselves can be sources of viruses. Gmail for example lets you preview documents like these on the web without having to download them to your computer and run malicious macros. That sounds like the safer way to me.
This entry was originally posted on Blogger and was automatically converted. There may be some broken links and other errors due to the conversion. Please let me know about any serious problems.
Comments
Computer Repair Nassau County
5/30/2009 8:17:50 AM
i also work on linux opreting system.