I have what may seem a very vague question. But I'm just not sure I know the answer, and I want to.

What security risks am I running, really, given the following:

• I run Debian Sid without regular apt upgrades of any sort (coz everything I need for now works fine)
• I use Firefox 2.0 with default security settings
• I have a firewall up and running
• I don't open email attachments or visit dodgy websites

My assumption is I am living safely. If only because in the real world, the Linux OS doesn't attract the attention of the guys who write malware and spyware and trojans and viruses and the like.

So I guess this is my three-part question:

1. Is my assumption correct?
2. If not, which security hole should I address first (I'm guessing the browser)
3. If my assumption is (in general) correct, is that more due to fundamental security strengths of Linux, or simply to the small numbers of people using the OS?

Yeah yeah, these are big questions I know. But as a bit of a non-techie outsider, I would really appreciate hearing your ideas!

Thanks.

LOL-you seem almost paranoid. Linux is extremely secure, I would not worry about it. Any cracker would hate to go into your computer-if that is what you are worried about.

Your assumption is generally correct. Linux, Unix, and the *BSDs are safer than any edition of Windows. There aren't very many other options for desktop computer operating systems so you are doing as well as you can do by running Linux. Remember that nothing is perfect. SELinux was created because someone (meaning the NSA) perceived that there was a need to enhance the security on Linux.
Briefly, no.
The browser is a good choice for your first priority. You can disable Java, Java Script, loading images from servers other than the one that you connected to, stop html address referring, clear private data when the browser exits, stop Flash and other plugins, and other stuff. You will probably find that the cure is worse than the disease. I take another approach. I have one account for general Internet usage that doesn't have any personal information, then I have another account with email, my checkbook, my personal photos, and other personal information. The general Internet usage account cannot see into the home directory of the personal information account.

Other things that you can do include:
- keep your patches up to date. You should check for updates at least once a week for the software that you have installed.
- keep your user account home directories (in the /home directory) on their own partition and mount the /home partition with the noexec parameter
- create two container files with a file system in each. Mount one through a loop device onto the /tmp directory with the noexec parameter. Mount the other one on the /var/tmp directory with the noexec parameter. Your fstab would look something like this:
You can see that I have two files in /var/sys.common, which is a partition in its own right. The file tmp.loop is 200 MB and contains a file system. It is mounted through a loop device at boot time on the /tmp directory with the noexec parameter. The other file is named var-tmp.loop. It also contains a file system and is mounted through a loop device at boot time on the /var/tmp directory with the noexec parameter. Note that there is a small set of applications, like Wine, that require the ability to run a program from the /tmp directory. This is not possible with this setup.
Linux enjoys a smaller universe of malware but remember, the expression "rootkit" was invented on Unix. As I said above, Linux and friends are a better choice than Windows due to the design of Linux et. al. and to much higher quality of workmanship in creating the components and applications.

Visit the Security Focus web site. They have a section for Linux and another one for Unix.

www.securityfocus.com

You'll see that most of the reported exploits either apply to web server software or database server software or require the attacker to log in to the machine before he can do any harm. If you don't run a web server or database server and if you have strong passwords then you are in good shape.

I agree with Kalabanta. Paranoid is not a bad thing, but Linux is a step ahead of the competition when it comes to security.
I know you say you don't regularly update, and that's fine, but it would be a good idea to keep up to date as far as security-related patches and the like.
Firefox is pretty secure too, but for example, there recently was a security-patch for some versions of Firefox.
You have a firewall, a good browser, you don't browse the net as ROOT user, avoid dodgy sites, validate/checksum anything you plan to install, sounds like you are doing fine!

I do. I open all attachments, sometimes they contain viruses and that's a little fun to open them and see how they are done. I visit all websites I want to. Sometimes I run anti-virus scan after that. All I've found so far is a couple of MS-Java viruses. Totally harmless with Sun Java and in Linux environment.
This is the freedom everybody should enjoy. People afraid to use the internet - this is the damage Microsoft has done.

Thanks guys for all those tips. Especially stress_junkie. I learned some new stuff there, particularly about SELinux and rootkits. Will be keeping your post for future reference.

Emerson, you're absolutely right. I still have the scars from bad Microsoft experiences! I moved to Linux in order to feel in control of my computer. And I won't be going back, ever.