As said above as more attacks happen better security tools will rise. With that said Linux is way ahead of the game compared to other OS's. Fedora is driving the game alot with security since redhat took over alot of SELinux. SELinux combined with grsecurity for a hardened server is extremely secure. SELinux policy protects applications from doing things they are not supposed to. The policy states what program can access what and on what ports it can do so on. add grsecurity into the mix and then you take into account all the kernel protection features of grsecurity like non-exec pages, alsr, chroot restrictions, /tmp race protection, network based randomization, kernel based randomization, etc. Then add in a firewall, anti-virus, rootkit detectors, and ids you will be ALOT safer that you ever could be on windows.


as for spyware/malware 90% of it comes from in users not knowing what to surf. As i said above i have been surfing for over 10 years and have yet to get a virus/malware/spyware and i don't run a firewall or anti-virus on my windows boxes or linux boxes. ( i know i said above that its good to run but i don't like to considering i have 15+K viruses on one of my machines to play with for reverse eng.) What is the percentage of well known websites that get infected with malware/spyware (ex. cnn, google, foxnews, amazon, microsuck, etc.) its very low.

as said above if you really really want a firewall that does hash checking to give that "extra" sense of security WRITE IT. until then please don't waste time bashing linux. There are people on here that want help and we are here to help them.

A very well reasoned and thoughtful post jschiwal, but here's something you might find interesting (and just a bit sobering i think) . . .

Debian and Ubuntu OpenSSL generates useless crypto keys

And here's a plain text link to the source Debian announcement cited in the above article so you can see that the points made by the author are not some kind of Microsoft anti-linux propaganda . . .

http://lists.debian.org/debian-secur.../msg00152.html


Quoting from the above article by Liam Tung, ZDNet.com.au -

I'm not going to accuse anyone here, but one of the favorite tricks the NSA likes to use with those evil money grubbing commercial software packages (if they want to be approved), is to force them to WEAKEN THE RANDOM NUMBER FUNCTIONS USED FOR KEY GENERATION.

Microsoft has almost certainly been paid off to weaken SSL in THEIR package, so how very, very, STRANGE that something so very, very, SIMILAR just sort of 'accidentally' happened to the Debian SSL libraries.

How this just 'accidentally' happened has all been explained, here -

http://lwn.net/Articles/282230/

Gee, that sounds sooooo convincing, but here are a few things to think about -

Do you know any of the people involved? How do we know that the names and stories have not just been made up for 'passable deniability' while ONE individual, using a pair of bogus ID's, both proposed AND approved his own shill 'software fix suggestion' to intentionally create this little security loophole?

Personally, I think it’s a prime example of how malicious code can be finessed into the code base in a VERY subtle fashion [quite likely, a very slick piece of work on the part of the NSA that took almost two years to catch]

This library is the core system code used to generate private-public key pairs and to set up secure connections, and this dangerously flaky non-secure crypto code was included as part of the largest, most widespread Linux distro on the planet for almost TWO YEARS before being caught.

Some have speculated that the non-secure keys and security certificates generated by this code will still be being tracked down for YEARS to come.

Just something to think about when you assume that viruses or spyware can’t creep into official distributions.

Oh, and by the way, just a quick post script -

MD5 is no longer secure on its own as a hashing algorithm to check against code modification attacks:

http://cryptography.hyperlink.cz/MD5_collisions.html

As you can see, there are now readily available tools on the web, which can take an exe or dll and add a malicious block of code, and then pad the result to give a file that will generate THE EXACT SAME MD5 as the original unmodified file.

Using SHA alone might be ok as an alternative for now, but the NSA tinkered with SHA early on and I have never known them to approve an algorithm for public use that they themselves couldn’t break, so when someone else finds the backdoor weakness, SHA will be no better off than MD5.

Checking both the MD5 and File length gives some additional protection, but if you want true bullet proof hashing, you should use a tool that generates and checks BOTH SHA AND MD5 signatures at the same time.

These two hashes have different hash lengths and very different internal structures, so even with their respective weaknesses, the chance of anyone being able to screw with a file in a way that fools both hash algorithms at the same time should by negligibly small.

As you can see, I know just a little about computer security (at least enough to be wary of what I don't know). Wish I could say the same about some others in the Linux community.

- Delphin

On a personal desktop system if you're worrying about the behaviour of stuff you already installed and seeking to control it with a Windows type personal firewall you are already screwed. It's pointless. I think in the pre-digital age they called it shutting the stable door after the horse has bolted ;-) I'm sure the obviously agitated OP will be enraged by this and will probably use a lot of CAPS and tell us all about how many bearded suspender wearing Unix gurus they defeated yada yada yada. The fact that someone believes their personal firewall "saved" their win32 OS from the ravages of malware by blocking outgoing connection attempts doesn't make it so. What that alert actually tells you is that your PC is already compromised. It doesn't tell you in how many ways. It doesn't let you know about the modified binaries that the firewall permits every single time. It just tells you about the low quality malware and clumsy spyware. The good stuff is almost certainly on there as well and is hardly going to be identified let alone managed/prevented/purged. It also tells you that either your OS and *wonderful* personal firewall are insecure enough to let through a known intrusion or that you installed the damn thing yourself, despite being a security genius. I'm sure this happens to Bruce Schneier on a daily basis

If you're in the habit of installing stuff from untrusted 3rd parties then perhaps stop using it in your examples when you're shouting about security (undermines your credibility).

Modern browsers don't cache https pages and they store passwords and form info encrypted. The fact that you've apparently seen Win 98 give up credit card info from its cache doesn't say anything about Konqueror, Firefox, Epiphany or even IE7 on Windows ;-)

The proposition that a GNU/Linux distro is less secure than Win98 because it "lacks" your favourite placebo is preposterous.

Your first post was quite good but you can refine your method further with the help of the following guide: The /. troll HOWTO

To run a firewall? Or not to run a firewall? That is the question!

Your argument, when reduced to it’s fundamentals, seems to be that, if I understand you correctly, because a firewall can’t necessarily block 100% of a virus’s malicious activity, it’s a total waste of time.

What a clever observation! Did you know that parachutes are also somewhat unreliable, and can only be relied upon to open about 99.9 percent of the time?

So if you are ever in a plane spiraling towards the earth, I say it’s silly to take a chance on such an unreliable technology.

So, I suggest you just jump out without it! (Please!!!).

It would give you a chance to both test your theory under real world conditions, and no doubt earn a 'Darwin Award' in the process. Me, I'll take that chance on the parachute.

As to how I stumbled upon (but avoided) three whole viruses in about the last 10 years (my friends kids manage to pick up about three a MONTH on his XP machine).

Here’s the sad tail (those with short attention spans, feel free to tune to another channel)

I have two old reliable Win98 machines, a 500 MHz Pentium laptop, and a 1GHz AMD Desktop. I also have a 2 GHz Desktop running XP. The XP machine is SLOWER and less stable than even the 500 MHz Win98 laptop, and from what I have seen, Vista is much worse, so I do everything I can to keep my Win98 machines singing along in fine form despite their age.

I like to use my 1GHz AMD Desktop machine for video editing, and because the multimedia software can get broken easily by STUPID Microsoft ‘updates’ to DirectX (often installed by commercial software without asking), I always have the machine fully backed up in it’s most stable form on a Norton Ghost DVD image.

It literally only takes 5 minutes or less to completely restore the hard drive image from DVD if needed on the 1GHz box, so this system makes a good candidate for safely ‘sand box’ testing new software before risking loading them on my laptop.

I have had the Laptop more than 8 years, and it has NEVER had a virus of ANY sort on it because of this arrangement.

Before the test install on my 1GHz Desktop ‘sand box’ system, I scan the applications with Claimwin (yes they DO have a version for Win98), and if there is still any doubt whatsoever (say, because I haven’t dealt with the site previously), I put the new software’s installer away for a month or two without running it, and then scan it again (to let the Claimwin definitions have a chance to update).

Then when I am ready to install the app on my test system, I run a simple audit program called regshot which snapshots the system drive and registry before the install, and then afterwards takes a second snapshot and gives you a complete log of every file and/or registry value changed or added.

I scan this log for suspicious activity, then save it for future reference in case I have to manually undo any changes.

Then, while running the application for the first time, I do another quick regshot audit to check for further system changes on the first run and shutdown of the application.

While all of the above is going on, I have the firewall in block and notify mode, looking for suspicious network activity.

Sorry for the boring technical details, but since you questioned my judgment . . .

I just rechecked my DVD archived copies against the web sites on the three apps that threw up alarms on my firewall (and later in Claimwin) –

BCX Development Suite - No acknowledgement of a virus (or of the false positive) on the web page, but may have indeed been a false positive, because it’s now NO LONGER showing up as a virus in Claimwin. This is odd, because first it did not show up, then a month later it did, now almost a year later, it’s clear again (typical false positive signature???). The firewall hit may have been caused by the app installer legitimately checking for an update (but I still, don’t like apps that look screwy to Claimwin, then try to “phone home”).

Great Cow Basic (on SourceForge) - The site now acknowledges a positive in virus scans on an offsite link to an IDE editor hosted on the site. This false positive was attributed to a false virus detect in the installer. If so, there was still a firewall hit (again, may have been caused by the app installer checking for an update).

QEMU (Windows version of the same emulator shipped with dozens of Linux Distros).

Now acknowledged on the web site that this really WAS a Virus (Trojan) and the firewall DID catch it well before Claimwin was updated to do so.

So, now the Web Site, Claimwin and my Firewall all agree, this was a baddie -

http://www.h7.dion.ne.jp/~qemu-win/

(see note about the USB driver being infected)

So, it was more likely 1 (or possibly 2 viruses), but Claimwin missed them at first, where the firewall caught the suspicious attempt at network activity and clued me in (something still trying to access the network after QEMU was unloaded)

If I had been careless, and run the trojan on my laptop, I didn't see any indication that it would have suceeded in bypassing the firewall, but I'm very relieved to have identified and caught the Trojan before it got onto my laptop, because I do conduct some credit card transactions, and do my banking from the laptop (Also, although I do have a full system DVD backup of my laptop, it's a bigger pain to wipe and restore, because of the laptops hardware configuration)

Overall this is a pretty good score for more than ten years of net surfing for ANY Windows box (at least for anyone that doesn't live in a cave).

As to your implication that I was irresponsible for downloading them in the first place - Gee! I’ll bet no one in the Linux community has ever downloaded QEMU!

All of the other applications, were also from widely respected public projects, and, so far at least, the ONLY one of the three that has been confirmed to definitely have a real VIRUS, is one you may well have on your Linux system right now (minus the virus, which hopefully only made it into the windows version of the USB driver).

So please take your holier than thou ‘software hygiene’ lecture, fold it till it’s all sharp corners, and put it where the sun don’t shine.

In any case, as my previous post shows, even code checked in to the main Linux distribution tree, and shipped as part of the system ISO image, can be tainted without it being detected. My, my, my, could those compromised crypto libraries be the very ones you mentioned as protecting credit card info??? (If so, you might want to open your mouth a little wider so you can insert the other foot)

I never said that Windows98 had better overall security, it does have some basic protection of kernel processes, but otherwise running applications have way too much freedom to cause mischief (and the file system is totally insecure).

My only point was that - at least so far as spyware trying to "phone home" is concerned - my Win98 box provides some basic security, where in Linux (at least by default) any app can open a port to the outside world, and do pretty much any damn thing it wants to as far as sending your private information out on the internet if you don't take pro-active steps to stop it.

As to your comment about trolling – Hmmm.

I would not like to think I am upsetting folks unnecessarily, or that no one here appreciates my observations (as you certainly appear not to), so let’s check the stats, shall we?

Let’s see . . . As I write this, I have 8 posts, and I have been thanked - let me see – looks like 2 times.

That looks like a solid 25%.

Oh well, I would have liked to please even more folks, but from what I see while doing some quick checks, batting 250 isn’t too bad at all for this forum.

Now let’s check your batting average shall we???

Let’s see Talka - Hmmm 180, carry the naught, divide by ...


Oh Crap!!! My chintzy old antiquated Widowz 98 box has just thrown a “Divide by ZERO!!!” exception and caught FIRE!!!

Help! I’m melting! Melting! Oh, what a world! what a world! . . .

Nice flavour.

Did you ever hear about the tourist, lost while driving in rural Ireland, asking the Irishman "How do I get to XYZ?". The Irishman replies "You don't want to start from here."


"because a firewall can’t necessarily block 100% of a virus’s malicious activity"
....

"often installed by commercial software without asking"


"While all of the above is going on,I have the firewall in block and notify mode, looking for suspicious network activity."


"NEVER had a virus of ANY sort"


"I’ll bet no one in the Linux community has ever downloaded QEMU!"


Jewels of !wisdom

The funny thing is that you're the one with pythonesque self innoculation procedures (is it the tuttle virus or the buttle virus????), the anxiety, the weird and wonderful personal firewall and the server AV on your desktop. And the problem

What I love the most is the vociferous advocacy of this ill informed approach being combined with a crippling fear that it isn't working. Thank you!

As for the "Thanks" comment... That was just implemented last month. So people that have been around here for a while have had tons of posts where there was not thanks option possible. Nice try.

As for hashes SHA512 has not been broken or even brute forced even by the NSA nor has SHA384.(all part of the SHA2 family)

as for debian, slack, gentoo, etc. _NONE_ of them are authorized in the DoD. Currently only Redhat 4 and up are authorized because of all the requirements.

If you are trying to base your security knowledge off of windows 98 and kernel pre-2.4 then you have something else to learn. Windows 98 is no longer updated. So yes with AV you should be safe against viruses but what about exploits on windows 98 that will never be patched because its to old.

look anywhere in the DoD there is not a single windows machine that touches the internet directly. EVERY windows box is protected by some type of *nix firewall(mostly sidewinder(bsd based)) or pix firewall.

Okay, this thread has gone down the road which I suspected it would (but had hoped it wouldn't). It now has little to do with the original post, and has instead become home to Delphin's giant rant. Delphin, your question has been asked and answered. If you need to make a firewall rule apply to a particular application, you could make the application run as a particular user and then use the --uid-owner iptables match which comes with the owner module. If you believe the GNU/Linux world needs to be able to make firewall rules based on a program's hashes, start a project for that instead of whining about it. Nothing gets accomplished when all you do is whine, except waste members' valuable time which they could have spent helping others.