Hello,

For those who are unaware over the past two months there have been a significant number of targeted Hacker attacks against Pro-Tibetan human rights organisations and individuals. These attacks are covered in the paper that can be found here - http://www.ironcove.net/archives/82

The paper recommends the use of Ubuntu on the Desktop for these organisations as none of the recent malware attacks would have had any effect on an Ubuntu (Linux) Desktop.

My question to the forum is what arguments can be made against the often stated argument that there is no malware for Linux / Ubuntu because the user base is low? If Desktop Linux became popular then malware would be developed and the situation would be the same?

I have some ideas, but would like to put this out and get some ideas from the Linux community.


Thanks
Peter

Why Ubuntu? Why not Debian, or Centos, or Fedora, or Gentoo, or something else?

TBH, a linux system is only as secure, as its admin is competent. Incompetent admin and your system will get owned rather quickly, so dont just automatically assume that by installing linux you are completely safe from crackers.

If you want to get a secure system together read the security thread thats stickied in this forum.

http://www.linuxquestions.org/questi...erences-45261/

Its a long hard slog that never goes away, especially if you are a high profile target. If a company/organisation fitted that category they had better get themselves the best administrator they can afford, as attacks will be loads, probably on a daily basis.

As for the user base of Linux expanding to a point where malware is a problem. I wouldnt hold your breath. While ever a noob operating system exists (windows), there will always be noobs willing to use it, leaving Linux for the people who have time to become competent pro users.

Err, well there's the often-stated one. Unixoid flavours have historically had a security model (something missing from a more popular OS) and that helps. So, even if Linux had the same virus writing effort applied to it, it would be more secure.

As has been mentioned, there are various things that you can do to reduce that level of security (admin 'oversights', moronic user actions, not having a properly set up root account) and it would be nice to think that you (we) never, ever, did any of those but real life means we need security in depth...

Your premise is severely flawed (and some might say naive). Where did you hear there is no malware for GNU/Linux? I am not aware of any generic operating system on Earth which doesn't have malware written for it. Be it rootkits or trojans or root exploits or whatever, one should ALWAYS be on the defensive when it comes to malware. And the great thing is, you've got some awesome tools freely available to you to help you stay safe. As an example, a stock Ubuntu install comes with AppArmor out-of-the-box. Check the thread linked by v00d00101 for more ideas on tools you can use to increase your security, protecting you not only against malware, but tons of other issues as well (remote exploits, local and network intrusions, bad configurations, administrator errors, etc).

Because this question is based on the same false premise as the previous one, it's not easy to answer it. You might instead ask a theoretical question like "If the number of GNU/Linux desktops was equal to the number of Windows desktops (and the users for both were the same type), would the GNU/Linux desktops be affected by the same amount of malware as the Windows ones?" That sort of question is sure to generate a lot of debate, and because none of us here is psychic, no one would be able to provide you with a solid answer (just personal opinions and such).

win32sux is right.

BUT... The big difference between Windows and other OSes is that most people run Windows from the Administrator account. This makes it very hard to secure, even in the best circumstances.

Furthermore, the "small target" argument is often regurgitated by people who don't fully understand how secure Linux can be.

There was an article written by Nicholas Petreley for The Register, entitled "Security Report: Windows vs Linux", which although somewhat dated, still makes some relevant points. I would highly recommend reading it.

Excellent input guys.

One of the keys regarding this discussion is that intended users are likely not highly technical and have minimal tech support resources - but do take security seriously. I am working on a guide that will make it easy to get an initial secure desktop configuration and then by following a few simple rules the user can have a relatively secure system that requires minimal ongoing maintenance. The guide will be based on Ubuntu as it is leading the way in an easy to use distribution that has a significant community behind it (the Shuttleworth foundation is also doing good work with nonprofits).

The guide will be aimed at those who want a decent level of security, but not the ultra paranoid. As we all know absolute security is very difficult to achieve especially when your adversary has significant resources. The ultra paranoid would need access to more specialist security knowledge - encryption of all data both stored and in transit, anonymous networks like tor and locked down local systems / networks.

The points regarding malware infection are excellent and are a strong part of the argument for using Ubuntu on the desktop for these types of organisations and users (even though exploitation of user environment is possible, installation of system wide rootkits via exploited application or plugin is much more difficult when compared to windows).

Recent trends have shown that many targeted malware exploitation vectors (on windows) are third party plugins and applications within the Windows environment. Quicktime, Real Player, Flash, Adobe etc. On a windows desktop this means ensuring all those little apps are kept up to date, while on Ubuntu as long as you stick to the official repositories apt-get upgrade is all it takes.

Does anyone know of "in the wild" examples where a web based script / malware was able to exploit a Linux users environment sufficiently to grab files or implement a key logger for that user?

In my book this doesn't count as a discussion because sofar you haven't reacted to other peoples questions.


You sure that's all it takes?


With all due respect but if you are a professional with "twelve years of experience" as your site says, then shouldn't you use unambigous language like "path traversal" and already know to poll the CVE, OSVDB and NVD? Until protocol:// fixes and NoScript Firefox did path traversal and such all by itself. No need for malware. (Besides that, maybe a personal nit, I don't like the term "malware" in the same sentence as GNU/Linux. Only in reference to ClippyOS it is correct to see that historically non-PD/OSS software evolved to ad-supported software, to software posing as something else aka malware. And "popular" sites or AV vendors using the term to dumb it down for a broad audience shouldn't be taken as a cue to use it everywhere, all the time, IMHO.) I regard any plugin that does scripting as a potential risk. Besides what would it matter for your security stance what the vector is? Would it be any less a risk if it was *only* a local triggerable vulnerability?

E=ironcove;3135985]


My question to the forum is what arguments can be made against the often stated argument that there is no malware for Linux / Ubuntu because the user base is low? If Desktop Linux became popular then malware would be developed and the situation would be the same?

[/QUOTE]

One of the problems with Microsoft's FUD is that it contains the premise "In The Beginning There Was DOS". Actually computing did not begin with Microsoft DOS. Operating systems were very well established long before the birth of Microsoft. Compared to the existing operating systems of the time early DOS was absurdly primitive. Even today it can be reasonably argued that current Windows is less advanced than the competing operating systems were at the birth of DOS.

Now comes the Microsoft FUD "Is Linux really secure or is Linux security a statistical mirage?" The answer is that Unix, and by extension Linux, was more secure at the birth of DOS than Windows is currently.

In the early days of Unix it went through a security shakedown that was far more extensive than anything DOS/Windows has ever gone through. Unix was developed by groups of graduate students working on government grants to create what is now called the Internet. Most of the system administrators were graduate students working at part time jobs. Clogging up the university computer rooms were undergraduate hackers who took what machine time they could get in the middle of the night to try and learn computing. The hackers had access to Unix source code and they considered breaking security to be part of the learning process. So did the graduate students. The graduate students didn't ban the hackers from the computer room or call the police when the hackers broke security. When the hackers bragged about how smart they were by breaking security the graduate students would fix the security by rewriting code and tightening up the system administration. This went on for years at a number of universities. As Unix developed the graduate student designers always had to take security into consideration and design to very tight security standards or the hackers would tear their code to shreds when it was released. Over the years the graduate students won the Unix security battle.

In contrast no thought was given to security in DOS or Windows design. Modularity was deliberately junked for bundling to maintain the monopoly. People who broke Windows security were arrested or fired instead of being encouraged to brag about how they did it so diagnosing security breaches was difficult. When the malware firestorm broke over Windows the best response that Microsoft could come up with was a pathetic firewall.

The fact that Unix experienced security attacks in its early days far more severe than Windows has ever experienced and the fact that Unix design incorporates security through modularity while Windows design incorporates monopoly through monolithic code means that Windows can never hope to even approach the security level of Unix in 1982, much less current security levels in either Unix or Linux. Linux was designed to Unix specs and follows Unix design principles so all of the security designed into Unix is also found in Linux.

------------------
Steve Stites