Java and JavaScript are unrelated and have nothing in common, except the syntax is kind of slightly similar.

Javascript is one interpretation of ECMA script, but that doesn't roll off the tongue quite as well as javascript.

ECMAScript

Java

Yeah, Debian is probably one of the best examples, with patches for the stable branch being issued almost exclusively for security vulnerabilities. Having the code remain as stable as possible can make things more manageable for distribution developers, while at the same time reducing the possibilities of surprises for users/administrators and their environments. If software is meeting one's needs and expectations, upgrading to the latest and greatest upstream version could be asking for trouble. Hence, limiting patches to those which only address issues of the utmost criticality is a widely-accepted approach.

I definitely agree that Debian is a great example of why stable is a good thing. Now if we could just get the Debian devs to cut back on the amount of patching/alteration they do to the upstream code. I think this is the biggest reason why I stick with Slackware over Debian. It is stable and there is a minimum of Slackware-specific patches.

see this is the problem. This mentality right here. You might get your software from a repository, but %90 of it is not reviewed before added. Its left to the developer. All it takes is one malicious "developer" to write a virus into a legitimate looking program and BAM, you inadvertently run a virus as root.

As far as java goes, oh man a virus can whreck almost as much damage as a user, especially if its a desktop. What about all your user data in /home/?? it can still open ports 1025+, so it can still phone home, it can still go through your data files, and/or make them available to whomever. I can also imagine if it sniffs passwords too, it could pick up your login, and if you have a "sudo" enabled machine, root you.

There are virus scanners, like clam AV, and there is always "linux shield" by mcaffee.

edit: On the same note. the chances of a virus scanner actually finding a virus are slim. All they are really good for is stemming mass outbreaks once a virus has already infected half the planet, and they are good for recovery. OR the poorly written ones from "kits" that are so similar virus scanners pick them up as the same one.

If a virus propigates slower, it just might be a long long time before it is discovered.

So what is the answer then? Following your approach, we should not trust any software that we personally haven't written. The fact of the matter is that it is all about trust. Can someone slip malware into a repository? Sure they can. Should we let the fear of such a happening prevent us from using repositories? In my opinion, no. Repositories generally contain software that is used by a lot of people, and putting malware into those probably increases the chances of it being detected. There is no 100% safe approach.

2 members found this post helpful.

[MODERATOR EDIT]
// I don't know if you were serious or joking, but personal attacks violate the LQ Rules. --win32sux

@everyone: smoker was basically asking for proof of the quoted claim.

0 members found this post helpful.

Okay, even if we assume 90% of statistics aren't made up, it's still kind of weird for a developer to include a virus in this manner. Sure, I can understand something like a backdoor or some kind of remote vulnerability if they really want to be evil... but a virus? It would get picked up way too easily by anyone with half-decent IDS procedures (no programming experience necessary).

I mean, at least if they intentionally include a remotely-exploitable vulnerability they can make it look like a programming error. Take for example the Debian OpenSSL fiasco from not too long ago. There's really no way to know for sure whether the package maintainer that committed the code had evil intentions or not. With a virus, OTOH, there's very little room for plausible deniability.

I think we need to look more at what the exploit can be used to do than the expoits themselves.Typically the exploit is just the door opening for the code to be executed in order to further compromise a system.This is where Linux differs from Windows.

On a Windows system you get hit with a drive by attack via a remote exploit which exposes parts of the OS's internals to the attacker, at this point the virus/malware drops its payload to further wreak havoc and installs applications to "phone home" and download more code and possibly install a backdoor and botnet and the problems grows from there.

On a Linux system you are just as exposed to these types of attacks however most botnet kits and exploits are Win32 code and will not run on a Linux system. Also there is some protection due to the way in which Linux handles file permissions and will require root access, and a corresponding local exploit will be needed in order to give the payload root access.

The only real way I know to stay clear of all of this stuff is with jails and virtual machines and its not a good solution due to other exploits which will allow you to break out of jails and kernel level rootkits that kill virtualization like bluepill.

I personally think that Windows 7 with their bit blocking and memory protection are better at stopping these types of attacks, but we don't notice this because Windows is such a big target with so many opportunities for exploits and Linux is just not on the hackers radar as a major target.

Just read what happens at the Pwn2Own contests.. the first thing to fall is typically a Flash/Safari/OSX combination.

I really think we need more kernel hardening and memory protection in the Linux kernel. I always run rkhunter and chkrootkit and other tools but they don't really check the running memory from my knowledge. There is a difference between a rootkit and an exploit and ClamAV doesn't scan memory from my knowledge of it , just files so if your running and you've been exploited there is nothing I know if in Linux or BSD to check active memory for exploit code. The only good thing is that in Linux/BSD it will difficult for the exploit code to make the jump from RAM to Hard disk as the Linux and BSD swap spaces are give special permissions and are on separate partitions. I still have more faith in Linux and BSD for security than Windows simply by their design. I just hope I don't have to eat my words later.

As someone else pointed out, that is a theoretical scenario, not an actual virus "in the wild." I have heard many times that there are no Linux viruses "in the wild," though I have no idea if it is true...but it seems to be, even based on the fact that you could not post a link to an actual, live exploit. Not to mention, many exploits (like Trojan horses that get installed on Windows if you have no firewall, without you even visiting a website) take advantage of vulnerabilities in network protocols, network hardware, and so forth...it really is not always about the operating system, like if someone forges packet headers to make an unsolicited packet look like it's a response to a request you made.

What's important to understand in any Linux-vs-Windows security discussion is that the whole "there aren't Linux viruses because Linux isn't as popular as Windows" is a bunch of hogwash! There are millions of Linux users, and what about all the Linux boxes running critical infrastructure? Those are valuable targets in anyone's book! So you really have to be computer-illiterate to accept that.

People pointed out a few differences between Linux and Windows which are important, but there are 2 key points any Linux-vs-Windows security debate misses entirely:

1. Security is an entirely different ballgame for a home user versus a server providing servers over a network (especially Internet services). On Linux, the difference is far more polarized than Windows.
2. The security of Linux as an operating system is the summation of a large set of significant factors, which by themselves are important, but altogether are virtually insurmountable to get a virus widespread.

Some thoughts (a few already mentioned):

• There is only one Windows "distribution," which is the same except more software is installed on expensive "versions."
• Various distributions do not merely install different software. They may install different tools, modified libraries (think of Windows DLLs), a kernel with various functionality built in or not, development headers along with the software (or not) and so on. How services get started varies among distributions ("rc.d" files and so on). If you download source and compile software on the target machine, your software is now different from the guy next door.
• Windows settings, by default, are very insecure.
• Not only do many Windows users have no idea where to find detailed system settings, but you can't even change some or create an mmc (Microsoft Management Console) on "Windows XP Home." (So you cannot, for example, require users to press "Ctrl-Alt-Del", even if you're Administrator and you know how!)
• Likewise, lower-cost versions of Windows actually give you less control over permissions. Excuse me, but WTF?
• The Windows installation program prompts (encourages) you to create other users at that time, and then it makes them administrators, too.
• You can obfuscate the real partitions and directories in which programs reside depending how you manage symbolic links
• Various Linux distributions have changed their filesystems over time (where stuff gets installed to, etc.)
• You often can configure various options when installing software on Linux
• There are multiple sources from which to get your open-source software, and binary packages are often customized. So it's the same software -- only different!

The end result is, almost any actual threat to your Linux box would depend -- almost exclusively -- on you providing a public service (opening a port) or downloading an infected file.

I am trying to picture an infected file trying to run on a random Linux box, and getting "something does not exist: no such file or directory," "you need program version x.x+," and "undefined symbol" errors while trying to run, LOL!

Now you combine all that with the fact that a computer-literate person knows better than to trust publicly-shared files without signatures, knows to customize javascript and cookie settings, knows to use "NoScript" and "AdBlock Plus" with Firefox to avoid the issue of infected websites, uses strong passwords, and so on, ad naseum, and what "security holes" are left? Practically speaking, there are none.

The real threat is people stealing confidential information from computers on networks providing public services. And often, that is accomplished by leveraging weaknesses in network protocols (and specific implementations of those protocols). Once you can pose as another user, a secure operating system is irrelevant, now, isn't it?

And then, of course, criminals use weaknesses in the server-related software itself to do other things. But if you are a home user, all of those threats are pretty much moot. The most someone could do is sniff my Internet traffic, but they can do that regardless. It's up to me not to transmit sensitive information without encryption.

Again, corporations with public services (or transmitting sensitive data) are the real target for that, too. Stolen identities can come in handy...knowing what I ate for lunch or what's my favorite song, not so handy!

Technically, that's a software security issue, not OS. But, yes, as far as the end user is concerned, it's the end result that matters. Again, though, this comes down to the user. It's kind of hard to fall victim to a Flash exploit if you don't let your (Firefox-with-NoScript-and-AdBlock Plus) browser to load flash at all.

And there are so many more technical differences that end users just don't understand. As many high-tech people could post here, that's how many unique examples we could get here! So yes, Linux is inherently far more secure.

FYI, though this has turned into more of a philosophical-technical discussion, I should add to the voices here saying, "There is anti-virus software for Linux." There is even a Linux version of Avast!, though the only practical reason to install it is to avoid spreading Windows viruses to actual Windows machines on your network (for example, by sharing an infected file with them, which doesn't affect your Linux machine).

And I also want to point out that when I said, "no Linux viruses in the wild," I didn't mean that actual Linux viruses don't exist...just that, as far as I know, the only known Linux viruses exist in labs where people created them to test and see if they would even work! (I interpret "in the wild" to mean spread to other people without their consent.)

For best security, keep Java disabled in your browser (it is disabled by default in Firefox 3.6).

I also keep Javascript disabled. I enable Javascript only when I'm visiting a website that requires it.

The idea that a remote website should have the ability to run code on my computer just by visiting the site was... a bad idea. Most browsing requires no more than rendering HTML, PNGs, GIFs, and JPGs.
Ed