LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-12-2011, 05:12 AM   #1
JonJAN
LQ Newbie
 
Registered: Aug 2011
Posts: 10

Rep: Reputation: Disabled
Can I trust linux?


I was having a chat with a friend lately, he was talking about migrating osx and I adviced him to try linux. I explained briefly how linux is free developed by nonprofit indivials. He asked how could I trust repos full of compiled code of hundreds of random strangers. I didn't had an answer for this question.

The matter here is not quality of code, stability nor effiency. His doubts was more malware/virus related. I know that its open and I can review the code but passes through lots of people before hitting to the repositories and I can't review compiled packages that I download from repository.

Repos of ubuntu and fedora are huge, I'm pretty sure most and them must be user submitted and user reviewed. I read the fedora review process and its appear anyone can submit and any member of team can review and approve. Makes me wonder how hard it is to get into the team?

How can a person can be sure, that no one will slip something nasty into repos?

Please don't take this wrong way. I love linux and I have been using it for years. Help me understand and make a case here.

Last edited by JonJAN; 08-12-2011 at 05:15 AM.
 
Old 08-12-2011, 05:23 AM   #2
sycamorex
LQ Veteran
 
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,563
Blog Entries: 1

Rep: Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024
Quote:
how could I trust repos full of compiled code of hundreds of random strangers
I wouldn't exactly call them 'hundreds of random strangers'. Usually packages/patches go through a thorough approval process before they hit the repos.

As to the authenticity of packages provided by some repository, you can always verify a package's signature. As far as I remember it's:

rpm --checksig package.rpm
and
debsig-verify [options] <deb>


I think it's a common misconception about open-source development. Once I heard a guy saying the linux kernel is developed by random strangers scattered all over the world. Each of them just chip in some portion of code and that's how a linux kernel gets developed
 
Old 08-12-2011, 06:02 AM   #3
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Hanover, Germany
Distribution: Main: Gentoo Others: What fits the task
Posts: 15,566
Blog Entries: 2

Rep: Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035Reputation: 4035
The question comes down to: How can I trust anyone that I don't know? Packages from the bigger distributions are well revised, so normally you can trust them. This is of course different if you add random Ubuntu-PPAs to your system, they are set up by non-Canonical people mostly, and therefore you have to have a good look before using that software. A simple way to get around this dilemma is to use Slackware. You have a rather small base repository and compile yourself most additional software from source. This way you have the most trustworthy package maintainer you can think of: yourself.

But you may ask your friend a question: What is more trustworthy: Having a repository with software from your distribution that is well revised, like on most Linux distributions, or collecting your software from hundreds of sites scattered around the net, compiled from people no one ever heard of, like on MacOS X and Windows? Seeing the malware situation on Windows I would say the repository approach works much better.
 
Old 08-12-2011, 06:33 AM   #4
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
This is a very valid question. I would answer it with another question.

Can you trust ANY software you have not written yourself?

The answer is NOT, YOU CAN'T, NEVER, EVER. Nothing guarantees the upstream authors to be playing fair, nor the distro packagers.

But there is a fact that turns GNU/Linux a better option if you are concerned about your packages been evil. When you use an Open Source OS, you know there could be malware. When you use a Closed Source OS, you know it has backdoors for sure. Plese, read Windows' EULA for more details, but basically any propietary OS (and other propietary applications) could be more easily backdoored by their authors without being noticed. Many chinesse Windows computers where taken down some time ago because Microsoft used a backdoor in the system to discover piracy evidences and screw the units down. I don't like piracy, but this shows that Microsoft can break your computer whenever it wants. I have heared of anti-malware companies getting paid by software vendors so their anti-spyware products don't detect backdoors and rootkits purposely placed by the seconds.

Of course, the security of the repositories dependes of the policy of each distribution. With Slackware, I use to only compile from source, so there is no warning of packagers putting malware in my computer. Any distribution that has tough addmision rules, however, is unlikely to have malware in their repositories.
 
1 members found this post helpful.
Old 08-12-2011, 04:12 PM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by BlackRider View Post
This is a very valid question. I would answer it with another question.

Can you trust ANY software you have not written yourself?

The answer is NOT, YOU CAN'T, NEVER, EVER. Nothing guarantees the upstream authors to be playing fair, nor the distro packagers.

But there is a fact that turns GNU/Linux a better option if you are concerned about your packages been evil. When you use an Open Source OS, you know there could be malware. When you use a Closed Source OS, you know it has backdoors for sure. Plese, read Windows' EULA for more details, but basically any propietary OS (and other propietary applications) could be more easily backdoored by their authors without being noticed. Many chinesse Windows computers where taken down some time ago because Microsoft used a backdoor in the system to discover piracy evidences and screw the units down. I don't like piracy, but this shows that Microsoft can break your computer whenever it wants. I have heared of anti-malware companies getting paid by software vendors so their anti-spyware products don't detect backdoors and rootkits purposely placed by the seconds.

Of course, the security of the repositories dependes of the policy of each distribution. With Slackware, I use to only compile from source, so there is no warning of packagers putting malware in my computer. Any distribution that has tough addmision rules, however, is unlikely to have malware in their repositories.
See the bold.

How do you KNOW this? You mention Windows. He's not talking about MS. He's trying to get someone to migrate to Linux from Mac OS X. Are you trying to say that all non-open OSs are backdoored? Based on the MS example that you mentioned? That's quite a stretch. It is quite possible that someone that codes in Linux CAN be nefarious and add some malicious code into the mix. What lessens the effect of that is code auditing. That doesn't always work, though. There have been cases of malware injected into Linux code in the past that made it through security layers. It is always said that you have the option of viewing the code yourself. I don't know about you, but my code review skillset is seriously lacking, and really, not every Linux user should be required to review the code before installing. Authentication of packages that you pull from a repository won't alert on malware that was injected during the coding of the application, either. Building packages and binaries from source isn't 100% safe either, as you could be building something from code that has already been fscked with.

It's all about who you trust and why. The OP's colleage is right, in a sense. The people that code are NOT familiar to you. Sure, some of you may know a few coders that contribute to the cause, but I'm almost 100% positive that you won't know ALL of them. The OP's colleage is also a bit aloof. He hasn't even thought about his Mac's code and the fact that what he suggest as a weakness of Linux also affects OS X. I'm betting some of his installed software isn't created and maintained by Apple's coders.

Basically, this is another risk that each computer user, regardless of platform, has to evaluate before committing to a chosen OS.

My 2 cents is that if someone asks such a question, they don't care about moving to Linux. You're better off spending your time finding someone that is a bit more receptive, IMO. Dunno...maybe you planted the seed of curiosity and he'll investigate Linux on his own? Again, I don't know.

Last edited by unixfool; 08-12-2011 at 04:23 PM.
 
1 members found this post helpful.
Old 08-12-2011, 04:52 PM   #6
John VV
Guru
 
Registered: Aug 2005
Posts: 12,833

Rep: Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709
dual boot osx and say Ubuntu or OpenSUSE 11.4
ans see for YOURSELF
you decide .

in your circumstances OSX might be better OR NOT ?

give a few distros a spin run one for a few months and then switch , then repeat

soon you will find a distro you like , then use it .

Ubuntu is targeted at the VERY new user ( thought is also used by system admins )
OpenSUSE - is a good all around system and targeted at the moderate to very experienced user, though a VERY new to linux user would not have too much of a problem .

Fedora -- apples and oranges .Fedora is a special case and most new users will NOT find it good to use .Some will and those are the tinkerers .


as to security
use the main software repos and you will be 99.9999% fine
there is NO SUCH thing as 100% safe
 
Old 08-12-2011, 05:13 PM   #7
JonJAN
LQ Newbie
 
Registered: Aug 2011
Posts: 10

Original Poster
Rep: Reputation: Disabled
I dug deeper and deeper into this subject and I had been amazed by the fact that how little linux users cared. Most of the linux users have this feeling of supremacy that no virus can hurt them. This is not true and this never was. Hackers just didn't cared about us because it didn't worthed the effort. If nvidia bothers to write a driver for us, if adobe bothers to release flash even for 64bit, I'm pretty sure hackers are already writing viruses for us.

Here are few interesting stuff I found;

A fbi backdoor in openBSD -> http://www.linuxjournal.com/content/...rs-may-be-true
Hiding Backdoors in plain sight contest -> https://backdoorhiding.appspot.com/
Hackers forcefully planted malicious code into opensource software -> http://www.zdnet.com/blog/security/o...urce-code/7787

Quote:
Originally Posted by unixfool View Post
My 2 cents is that if someone asks such a question, they don't care about moving to Linux. You're better off spending your time finding someone that is a bit more receptive, IMO. Dunno...maybe you planted the seed of curiosity and he'll investigate Linux on his own? Again, I don't know.
You are right, but it was a pretty good question and I want to have an answer for it if it pops up again.

Quote:
Originally Posted by John VV View Post
dual boot osx and say Ubuntu or OpenSUSE 11.4
ans see for YOURSELF
you decide .

in your circumstances OSX might be better OR NOT ?

give a few distros a spin run one for a few months and then switch , then repeat

soon you will find a distro you like , then use it .

Ubuntu is targeted at the VERY new user ( thought is also used by system admins )
OpenSUSE - is a good all around system and targeted at the moderate to very experienced user, though a VERY new to linux user would not have too much of a problem .

Fedora -- apples and oranges .Fedora is a special case and most new users will NOT find it good to use .Some will and those are the tinkerers .


as to security
use the main software repos and you will be 99.9999% fine
there is NO SUCH thing as 100% safe
I'm not talking about OSX vs linux and I'm definitely not looking for distro advice.

I just want to learn more about what are the precautions that repos have. For example should I trust rpmfusion for my packages?why?

Last edited by JonJAN; 08-12-2011 at 05:29 PM.
 
Old 08-12-2011, 05:29 PM   #8
John VV
Guru
 
Registered: Aug 2005
Posts: 12,833

Rep: Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709Reputation: 1709
there are a few viruses that run on linux ( about 6 to 12 - might be up to 24 by now )
BUT
As far as know NONE are in the wild
compared to the what 750,000 on MS

Now windows CAN be locked down as secure as any system can be BUT
the DEFAULT settings on most Linux distros , in comparison to windows , are night and day

now i do keep a locked down windows install ( XP and now win7 ) 3 major infections on xp in 8 years , not bad .
since 2004/05, 0 infections on linux and 0 rootkits


now it is easy to set up a linux install to be VERY VERY insecure

see:"Damn Vulnerable Linux" or "Metasploitable"
http://distrowatch.com/table.php?distribution=dvl
http://blog.metasploit.com/2010/05/i...ploitable.html


It all comes down to trust and the fact that there is NO 100% safe( bullet proof) computer OS
one can go to the EXTREME and loch a non-networked computer in a bank vault
BUT
you would still have to trust the owner of the vault .
 
1 members found this post helpful.
Old 08-12-2011, 06:00 PM   #9
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
Mr. unixfool, you have completly lost my point. What I pretended to show is that you can trust nobody. The Microsoft backdoor was an example, just that, but there are many others around (confirmed an unconfirmed) with different levels of severity.

JonJAN's friend says that free software is not trustworthy because its authors are not trustworthy. What I say is that no software is trustworthy at all. Even the software you write can be compromised if you use a compromised compiler (I have seen an example where a compiler was troyanized to generate modified programs). The fact that the software is developed by a firm and released closed source does not mean that it is more secure: it only means that backdoors can be easily concealed. OK, Linus and his team could put malware in the kernel itself and it's likely nobody would notice because there are tons of lines of code, but... there are a lot of freaks, universities and academics that could have a look at the code for educative purposes, or just for fun, or just to adapt a module to a particular circumstance (a friend of mine had to modify the software for his WIFI card once). Serious packagers do look (fast, but they do it) at the code of the apps before packagin it. There is an slightly bigger chance to discover malicious code. A rootkit made by Sony could remain unoticed by years.

By the way, all this chat is not new. I have seen exactly the same subjetc discussed in SlackBuilds.org and Porteus forums. I myself have talked with many people about this, even with some software developers. This is what I suggest: if you don't trust the packagers, use the source code; if you don't trust the source code, sell your computer and return to the paper&pencil age.

EDIT

It is a matter of trust. I use source code when it comes from not-untrusted authors (if the author has not been proven to be a son of a @#~&). This is not to mean I trust that software, it only means that you have no other options that use some kind of software or use your machine as a decoration object. SElinux, for me, is not trustworthy, because the american goverment has already placed backdoors and rootkits in many products. This is what I call "untrustworthy author". I compile my kernels without SElinux support.

I don't know, for example, who wrote lrzip, but I need a compression tool even when I can trust no coder. So I use lrzip because there is little chance for lrzip to contain malware and because it offers no less guarantees that any other tool.

Now, can you trust packagers? Not much. Anyway, if the distribution has hard admision rules, you can say that each packager has demostrated to be of some value to the OSS movement and that some big player has decided he is trustworthy. Do you think Patrick hires a Jo Doe to work in Slackware?

With comunity repositories, the things change. SLAX, for example, offers no much guarantees for the modules the users post. As of today, anyone can put software for download and it will have only a fast check for bizzarre malfunctions. SLAX developer has already told in the forums that he his going to change the repository model.

Last edited by BlackRider; 08-12-2011 at 06:20 PM.
 
Old 08-12-2011, 08:17 PM   #10
Timothy Miller
Member
 
Registered: Feb 2003
Location: Arizona, USA
Distribution: Debian Jessie, OpenSuse 13.1, Chakra.
Posts: 665

Rep: Reputation: 95
IMO, you can't. BUT, you can download the source code and see for yourself there's nothing in it, then you can. You can't verify that on Windows/OSX. Therein lies the reason I will ONLY truly trust Open Source.
 
Old 08-12-2011, 09:17 PM   #11
jefro
Guru
 
Registered: Mar 2008
Posts: 11,380

Rep: Reputation: 1395Reputation: 1395Reputation: 1395Reputation: 1395Reputation: 1395Reputation: 1395Reputation: 1395Reputation: 1395Reputation: 1395Reputation: 1395
You can't trust linux. All OS's are subject to more holes than some rash statement like Linux is secure.

To be sure one of the BSD's have been suggested as the most secure. Problem is that statement like all OS's only involve a very basic OS. The holes exist in the apps installed and the way use user opens holes. It takes less than an hour each year to hack into OS's. See pawn2own contests.

Last edited by jefro; 08-12-2011 at 09:19 PM.
 
1 members found this post helpful.
Old 08-12-2011, 09:33 PM   #12
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by JonJAN
Here are few interesting stuff I found;

A fbi backdoor in openBSD -> http://www.linuxjournal.com/content/...rs-may-be-true
Hiding Backdoors in plain sight contest -> https://backdoorhiding.appspot.com/
Hackers forcefully planted malicious code into opensource software -> http://www.zdnet.com/blog/security/o...urce-code/7787
Trading tit for tat on critical vulnerabilities should see *nix regularly come out ahead. I would imagine you can find a couple instances of slight problems with Microsoft's and/or Apple's operating systems as well.

Quote:
Originally Posted by JonJAN
I just want to learn more about what are the precautions that repos have. For example should I trust rpmfusion for my packages?why?
On a very basic level, I (personally) would not trust any package that has not been cryptographically signed by the repository maintainer. That said, there are usually a number of weak links with public key cryptography (public key distribution, for instance; are you sure you got the real key?). But if a repo is not even providing signed packages (or source tarballs), you should view it as a serious red flag.

But that's something of a digression. You're really asking whether open source is "more trustworthy" than closed source. IMO, well vetted, widely used open source projects should theoretically produce cleaner, safer code. Period. But I truly don't know whether good, regularly updated empirical evidence is available to demonstrate this point. I have read many, many biased and editorialized comparisons.

If you're here gathering information just so you can tell off your smart @ss friend, then treat it like any (supported) debate. Put together references that support your position, and tear him a new one.

If you're here with a practical angle, and would like to learn more about a well-designed Linux distro with security in mind, then learn about: http://www.openwall.com/Owl/
 
Old 08-15-2011, 02:19 PM   #13
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by Timothy Miller View Post
IMO, you can't. BUT, you can download the source code and see for yourself there's nothing in it, then you can. You can't verify that on Windows/OSX. Therein lies the reason I will ONLY truly trust Open Source.
That only works if you know how to read the source code. And even if you know how to read it, you might not recognize the exploit code.

I'm not trying to stir the pot, but really, what you're saying is a bit unrealistic. Let's get fundamental. You use a bank to store your money, right? Banks are hardly open but people use them anyways. What I'm getting at is that trust is implied.

I'm not being negative about open source (hell, I use it too, but I'm not zealous -- not pointing fingers), but there has to be something more than the example you just gave. That's not really enough to trust. You can't honestly think that everyone that uses Linux knows how to read source code (or that they should be forced to learn to read code)....at least I hope you don't think that.

From anomie:

Quote:
You're really asking whether open source is "more trustworthy" than closed source. IMO, well vetted, widely used open source projects should theoretically produce cleaner, safer code. Period. But I truly don't know whether good, regularly updated empirical evidence is available to demonstrate this point.
THAT'S pretty much on the money. It ain't much to work with, but it's about as clear as it gets with what the OP is dealing with.
 
Old 08-15-2011, 02:24 PM   #14
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by BlackRider View Post
By the way, all this chat is not new. I have seen exactly the same subjetc discussed in SlackBuilds.org and Porteus forums. I myself have talked with many people about this, even with some software developers. This is what I suggest: if you don't trust the packagers, use the source code; if you don't trust the source code, sell your computer and return to the paper&pencil age.
No, this subject isn't new, even in these forums.

I'd say if you don't trust the source code, don't use the app. There is usually more than one flavor of a particular app. Selling a computer because you don't trust source code is a bit out there. Maybe, figure a way to make the code more trustworthy (informing the maintainer...having someone who can read source code from a security audit perspective...there are better options than telling someone to use paper and pencil). If there's something hokey and you can somewhat substantiate the claim, I'm pretty sure the maintainer would want to know, as well as the security community.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TRUST graphical tablet + linux + gimp vmicho Linux - Hardware 1 11-07-2006 05:11 AM
Trust relationship between WinXP Pro PC and Linux Smb ahill Linux - Networking 3 12-02-2005 10:13 AM
How much do you trust Linux? JROCK1980 Linux - Security 0 02-22-2004 03:27 AM
Connecting a Trust cam. to linux box bwyatt Linux - Hardware 3 07-02-2003 08:50 AM
Trust relationship using SAMBA in Redhat Linux 7.2 dibakar Linux - Networking 5 02-22-2003 12:36 PM


All times are GMT -5. The time now is 02:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration