Quote:
Originally Posted by Miati
I've been seeing the title phrase above a lot (reading about security).
|
One of the troubles with this kind of discussion is that it elides different types of thing, and it very easily comes up with nonsense as a result. GIGO.
Quote:
Originally Posted by Miati
Basically, the argument for why windows gets hit with malware so often is because windows is installed everywhere and linux is clearly in the minority and is such protected.
From my understanding though, unix like systems (Linux, BSD) run practically everything except desktops (you know - in a majority). It runs all sorts of embedded stuff (tv's, routers), servers (amazon, netflix, yahoo) supercomputers, etc.
*nix based systems are apparently commonplace and must be high value targets (servers and routers have got to be valuable sources to crack)
|
Windows has a number of disadvantages, from a security point of view, but the argument about servers and routers is quite different, but also interesting.
First of all note that some quite high profile organisations use windows server for their web presence, so it is possible to make Windows server adequately secure (...wouldn't like to do it myself, but that's an entirely different debate...).
One of the key things here is that servers don't get 'random' bits of software installed, with limited knowledge about their provenance. (Well, at least, not by anyone with a brain cell to deploy, anyway.) Because you don't install idiot bits of software downloaded from entirely unreliable sources scattered around t' interwebs, you don't get all of the security problems that come with those bits of software. Of course, you can argue whether, had this happened to Linux, it would be a
Linux problem...you've installed, for example, something by Adobe and imported a vulnerability that wasn't in the original Linux.
Is this a Linux problem or not?
Well, this makes a massive difference to how you look at things, so you have to have an answer. It is still a Linux system that is vulnerable, but the vuln wasn't in your original Linux system.
In any case, because Linux has a system that makes sense for installing apps (broadly, you get them from your Linux distro supplier, and broadly it is as simple as clicking a button in an app that your distro has provided for the purpose) and has had that for over a decade, if your distro's security team does a good job, and you click the 'update' button on a frequent basis, you are less exposed to this risk than you would be in another situation.
There is a side order of 'well we wrote the app, but we can't be bothered to update it in a timely matter, because it is all proprietary, and no one can call us out on it, because they can't see the source code, and see how simple it would be to fix, if they did...' but that is probably a smaller proportion of the problem.
In any case, have a look at routers; there are plenty of reports of vulns, to the extent that probably the majority of routers out there are proudly sporting some (relatively) easily exploitable vulnerability. So, given that mostly, people do not install apps on their router, how does that come about?
The trouble here is that
- router manufacturers tend to regard their software as 'fit and fire'; they blow the software in production, and lose interest rapidly, in particular, once the router is out of series production
- people often entirely ignore the requirement to keep router software updated
The end result is that routers really are usually vulnerable, but, in a way, it isn't usually as important as if they had done that to your computer. If someone 'pwns' a router, they've got a router. They haven't got your credit card details, they haven't erased the root partition of your computer (although there are some unpleasant things that they could do, broadly they aren't the things that make them easy money) and they aren't in a position to hold your data for ransom.
Quote:
Originally Posted by Miati
Since linux has existed for a long time (decades worth after all), since the same code to run decades ago are still relevant today (in the terminal at least) there ought to be well refined, heavy set malware ready to go in our "desktop linux" world.
so..
|
Weeeelllll....
Kernel flaws are kernel flaws. The kernel has existed for quite a long time, but there is a reasonably rapid turn over of code. Once it is known that 'doing it this way' is flawed, there tends to be quite a quick change to another way of doing it (as there has to be, of course).
But most of the flaws that get exploited are not kernel flaws. So, something like the SSH/Heartbleed flaw -big enough for you?- was a flaw in the way SSH worked, in that it allowed exploitation. Affected a lot of distro installs (and there will be plenty of people out there who have said 'Ain't going to fix my system 'till there is something broke; it all works, so I don't need no stinkin' updates' and are still running flawed code.), but although pretty fundamental, it wasn't a kernel problem, therefore not strictly a Linux problem, even though it did catch most distros (and the patch(es) were made available pretty quickly).
The recent bash exploitability (shellshock) was in the same category; fundamental, but not a kernel issue.
So, those were both serious, they caused much scurrying around to get systems patched 'in time' (whatever that means), but really not many people who took this seriously got reamed. There will still be people who haven't bothered with the patching, of course...
Quote:
Originally Posted by Miati
You may or may not have X, you probably have less "desktopy" programs like libreoffice/banshee/etc but it's otherwise the exact same thing underneath.
|
As I say, it isn't usually the underneath that is exploited, so what is underneath isn't as relevant as it might at first seem.
Quote:
Should I consider every login attempt to my ssh port a attack?
|
Well, you probably could, but I don't know how it helps. What do you do with the count that helps anything?
In any case, it is an attack on SSH. It usually depends on badly configured/mis-configured SSH (or flawed key distribution, etc) and isn't a strictly Linux issue. You could turn SSH off, in many desktop cases, of course... You'd still have a Linux system, but one that is immune to SSH exploits (this is minimising attack surface, if you want to be professional about it).
Android, just to make the point, is a whole 'nother story. Android apps are pretty suspect, because no one is really checking them out adequately. Google (this is probably changing) isn't doing a good enough job to ensure that apps only use the access permissions that they say they are going to, or ensure that you can see, up front, the permissions that an app will require. A consequence is that people install apps which do things that are wildly out of proportion to their purported role (and then forget where they have given permissions away).
Now this might not be the world's most pressing problem when a phone is only a phone, but these days, it isn't. You may have paid for things, so maybe your credit card details are there, there is probably a version of your contact list there, and you (or they) wouldn't like everyone to have access to that kind of information (although, none of this is an attack on Android itself....but, whether it is or isn't, it still hurts exactly the same amount).
And, of course, currently only ~5% of Android phones are on lollipop, and who knows what unfathomable evil is possible with ancient versions of Android (here Apple does better - there is an upgrade path, and people often use it; ordinary Joes (and/or Janes) don't on Android, and so, one way or another, the Android world is full of exploitable phones).
Right now, the percentage of phones out there on Android 2.x is probably similar to the percentage on 5.x, and 2.x would be geriatric even if we weren't on 'Phone OS time' (which is faster even than 'Internet Time').
And, the situation is even worse for people who use alternate app repos - most of the programs there have something suspect about them, even if it is only a hilariously wide interpretation of what a reasonable permission set would be for a particular role (although, you would often be told about this when installing - but, anyone who has gone to an alternate source of programs may well not be put off by that detail).
@replica9000
Quote:
I know the Nexus 6 seems to stutter in performance. I heard it's using encryption by default though.
|
There is a complex situation with 'encryption by default'. As I understand it, it depends how you get your Lollipop. If you get your Lollipop installed with the device,as originally shipped, you get EBD, if you update an earlier device that originally didn't have encryption, you don't get EBD, but you could still choose encryption.
(I don't think this applies to all Nexus's, but the older ones won't have had any possibility of EBD, so, in that case, you can't be upgrading a device that had originally been EBD - although, what happens if you had a non-EBD device for which you had manually chosen encryption and then upgrade, taking the default, I don't know. You get what you get, is probably the closest I can come)
If, of course, you choose a device other than a Google device, the manufacturer gets to choose what you get by default (which, sort of, sounds as if I am making Google the manufacturer of the Google devices, which, of course, they're not).