Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There are tons of definitions on the internet and there are a lot of threads in these forums that offer some interpretation....what value do they offer the OP, though?
I've already given what I thought the OP needed, just as everyone else here. If you ask a security-focused person their opinion on Linux vulnerabilities, you're going to be asking for a mouthful...it is upon the reader on how much and what he takes from that mouthful that he may consider valuable...its almost like asking for thoughts on religion and the discussion is bound to be heated.
I'm not a developer. I'm not a Linux advocate. I'm not a Windows advocate. I use Linux. I use Windows. I will recommend what I feel is necessary to get the job done. My advice sometimes 'goes against the grain'. This type of advice has rocked zealots' minds to the core before. I'm a professional security consultant. I've seen Linux machines cracked via vulnerable applications vectors in my line of work. In my view, Linux is not invulnerable and I'll not compare to Windows just to make Linux vulnerabilities seem less impacting. To mention that Linux applications are sometimes vulnerable (due to coding or PEBKAC issues) is not admitting anything wrong.
In the end, please send negativity to /dev/null and keep the OP's questions in mind. If we can both agree to disagree, things are probably cool...but all I really care about is giving the OP a good, clear and concise yet accurate answer to his question...my feedback was directed at him, not evilDagmar.
One must keep in mind, also, that while there aren't many Linux viruses, etc. today, with the current growth rate of the Linux user base, tomorrow things can change rather quickly. No OS is completely bullet-proof, and I'd never give anyone the impression that Linux can never be infiltrated.
"A poorly maintained Linux system can be more vulnerable than an updated Windows PC."
(unknown author)
The term vector is derived from the biological term. It's the means by which something (presumably bad) is carried toward something else. For example, if a company's LAN server gets cracked because a LAN client's browser ran into some really evil JavaScript code, then it could be said that the browser was the attack vector. The browser allowed the cracker to execute code on the LAN client, which then allowed him to attack the LAN server from within the LAN itself (and behind the router/firewall).
The term vector is derived from the biological term. It's the means by which something (presumably bad) is carried toward something else. For example, if a company's LAN server gets cracked because a LAN client's browser ran into some really evil JavaScript code, then it could be said that the browser was the attack vector. The browser allowed the cracker to execute code on the LAN client, which then allowed him to attack the LAN server from within the LAN itself (and behind the router/firewall).
Thanks, that makes sense. So when UnixFool used the term, proceeding it with "vulnerable" was redundant then, right? I mean, it sounds like a vector is inherently a vulnerability (in fact apparently a multifaceted set of vulnerabilities).
Not trying to nit pick or anything.. I'm just hearing the term in the network security context for the first time.
Thanks, that makes sense. So when UnixFool used the term, proceeding it with "vulnerable" was redundant then, right? I mean, it sounds like a vector is inherently a vulnerability (in fact apparently a multifaceted set of vulnerabilities).
Not trying to nit pick or anything.. I'm just hearing the term in the network security context for the first time.
I can't speak for unixfool, so it's best of I let him elaborate on what exactly he meant. But regarding whether a vector is always a vulnerability, I don't think that is the case. For example, let's look at the JavaScript drive-by attack which made headlines last year. In that case, the browser was/is the vector, yet the attack didn't exploit any actual vulnerabilities on the browser, it only used the browser as a means to gain code execution rights on the LAN side, and that's pretty much the way JavaScript is designed to work. The vulnerability was on the consumer-grade routers with unchanged default passwords.
In molecular biology, a vector is any vehicle used to transfer foreign genetic material to another cell.
The vector itself is generally a DNA sequence that consists of an insert (transgene) and a larger sequence that serves of the "backbone" of the vector. The purpose of a vector to transfer genetic information to another cell is typically to isolate, multiply, or express the insert in the target cell. Vectors called expression vectors (expression constructs) specifically are for the expression of the transgene in the target cell, and generally have a promoter sequence that drives expression of the transgene. Simpler vectors called transcription vectors are only capable of being transcribed but not translated: they can be replicated in a target cell but not expressed, unlike expression vectors. Transcription vectors are used to amplify their insert.
IOW, the 'vector' is not necessarily a bad thing, nor does it always allow the transfer of bad things. You just hear it used more often in that context.
I can't speak for unixfool, so it's best of I let him elaborate on what exactly he meant. But regarding whether a vector is always a vulnerability, I don't think that is the case. For example, let's look at the JavaScript drive-by attack which made headlines last year. In that case, the browser was/is the vector, yet the attack didn't exploit any actual vulnerabilities on the browser, it only used the browser as a means to gain code execution rights on the LAN side, and that's pretty much the way JavaScript is designed to work. The vulnerability was on the consumer-grade routers with unchanged default passwords.
Yes, this is what I meant, though you probaby worded things better.
I also agree with your explanation of a vector not always being a vulnerability.
There are tons of definitions on the internet and there are a lot of threads in these forums that offer some interpretation....what value do they offer the OP, though?
In theory, they offer factual correctness. Or at least, I do. What you said is simply wrong.
Quote:
Originally Posted by unixfool
I've already given what I thought the OP needed, just as everyone else here. If you ask a security-focused person their opinion on Linux vulnerabilities, you're going to be asking for a mouthful...it is upon the reader on how much and what he takes from that mouthful that he may consider valuable...its almost like asking for thoughts on religion and the discussion is bound to be heated.
Your problem is that I am a "security-focused" person. Among other things, this means I pay close attention to security advisories, statistical analysis of malicious activity on the net, and generally don't like it when people start preaching panic and fear based on factual inaccuracies like claiming Linux viruses are not far in the minority.
Quote:
Originally Posted by unixfool
I'm not a developer. I'm not a Linux advocate. I'm not a Windows advocate. I use Linux. I use Windows. I will recommend what I feel is necessary to get the job done. My advice sometimes 'goes against the grain'. This type of advice has rocked zealots' minds to the core before. I'm a professional security consultant. I've seen Linux machines cracked via vulnerable applications vectors in my line of work. In my view, Linux is not invulnerable and I'll not compare to Windows just to make Linux vulnerabilities seem less impacting. To mention that Linux applications are sometimes vulnerable (due to coding or PEBKAC issues) is not admitting anything wrong.
Except that's not what you were saying. You were saying something else entirely, and now you're trying to substitute a lot of pleasant talk for actually being accurate. I can guarantee you that at the end of the day, people would rather have accuracy over a bunch of made-up nonsense, however pleasant it may sound.
Quote:
Originally Posted by unixfool
In the end, please send negativity to /dev/null and keep the OP's questions in mind. If we can both agree to disagree, things are probably cool...but all I really care about is giving the OP a good, clear and concise yet accurate answer to his question...my feedback was directed at him, not evilDagmar.
Learn the difference between facts and fantasy. Facts are what I deal in. Fantasy is what you've been posting. There's no "agree to disagree" here because you've been saying entirely incorrect things, I've been calling them what they are, and then you seem to think you should follow up with something completely unrelated.
...and yes, I am rather well-known for being entirely intolerant of people spreading misinformation. If you don't like it, stop posting fairy-tales in a tech forum. Claiming that Linux viruses aren't far in the minority is just so divorced from reality it makes my head ache just to think about it.
Post Scriptum: Everyone thinking that "playing nice" might be more important than "providing correct information" should probably take a look at the following rant someone else wrote, since it seems rather apropos at this moment: http://www2.apebox.org/wordpress/rants/5/
...and why is this a problem, some of those of you who are newer to thinking about security strategically may be thinking? It's a problem because security models are based on providing balanced responses to threats based on their likelihood and their severity. Someone convinced that the internet is positively crawling with viruses that target Linux is likely to waste a bunch of their time trying to figure out virus scanners (which have notably few signatures for Linux viruses, hint hint) instead of paying attention to the important things that actually are the prevalent vectors for attack, like unsecured access mechanisms, badly chosen and/or easily guessable passwords, outdated PHP applications, and network-enabled services accessible by hosts that have no need of those services (like allowing the whole world to ssh into their machines). Reading iptables documentation to figure out how to implement the principle of least privilege is going to be a far more effective use of time than reading the documentation on Trend Micro's linux client.
Last edited by evilDagmar; 03-10-2008 at 06:10 AM.
Reason: Calling me a "forum nazi" == you lose. http://en.wikipedia.org/wiki/Reductio_ad_Hitlerum
Some things depend on you.
But default Ubuntu 7.10 is pretty safe.
Don't worry.
Internet offers information and patches to make it even safer, how ironic.
Don't fear the INTERNET
It is BAD BAD BAD to assume that there are very few trojans that affect Linux.
This is a really really *really* good point. I see a lot of people posting "You don't need to worry about viruses on linux :P", and every time I see it, it makes my skin crawl and I get the urge to correct them by adding a big fat YET to the end of that sentence.
It's a really dangerous attitude. It's only a matter of time. Linux is not the magic bullet of operating system security. It has the same possibility of exploit that any other OS has. The difference is the authors of OSS are (generally) more willing to acknowledge stuff, take it seriously, and patch it quickly. It's a matter of pride in a developer. If I have a bug, in my software, I want to be the one that patches it, so I'll do it quickly before someone does it for me and starts posting about how lazy or security irreverent I am.
All linux needs is the attention of people that can exploit it. That will come with market share as the market share rises. In fact the same openness that enables researchers to find and fix bugs will allow the crackers to find the stuff the researchers miss. They are, after all, just people.
Malware and virus people like to aim at targets that provide the largest number of users. When linux adoption has reached the point where it's interesting to them, the floodgates will open. When this happens you will pay a steep price for bad habits and bad security philosopy based on "there's no viruses on linux :P"
Please get out of the habit of thinking like this, and start adding a "yet" to the end of this sentence.
This is a really really *really* good point. I see a lot of people posting "You don't need to worry about viruses on linux :P", and every time I see it, it makes my skin crawl and I get the urge to correct them by adding a big fat YET to the end of that sentence.
Well, quell the urge. Windows is probably going to have to die out before Linux viruses get out of the minority group. These people want to know what's a threat to them at present. Bringing "yet" into it is expanding the subject unnecessarily.
Quote:
Originally Posted by rg.viza
It's a really dangerous attitude. It's only a matter of time. Linux is not the magic bullet of operating system security. It has the same possibility of exploit that any other OS has. The difference is the authors of OSS are (generally) more willing to acknowledge stuff, take it seriously, and patch it quickly. It's a matter of pride in a developer. If I have a bug, in my software, I want to be the one that patches it, so I'll do it quickly before someone does it for me and starts posting about how lazy or security irreverent I am.
All linux needs is the attention of people that can exploit it. That will come with market share as the market share rises. In fact the same openness that enables researchers to find and fix bugs will allow the crackers to find the stuff the researchers miss. They are, after all, just people.
You seem to forget that part of the reason Linux is doing so well now is that it definitely had the attention of these people all through the 90's. It's still got the attention of people who can exploit it, it's just that the criminals are busy making a huge splash running amok on the low-hanging fruit out there (i.e., the Windows machines). With respect to being a secure operating system, Microsoft has spent half their time fooling around with the "everyone is allowed to do anything to the system" security model, and they're still playing catch-up because of it.
Quote:
Originally Posted by rg.viza
Malware and virus people like to aim at targets that provide the largest number of users. When linux adoption has reached the point where it's interesting to them, the floodgates will open. When this happens you will pay a steep price for bad habits and bad security philosopy based on "there's no viruses on linux :P"
Your premises fail utterly to support your conclusion, and your conclusion itself is flawed.
Quote:
Originally Posted by rg.viza
Please get out of the habit of thinking like this, and start adding a "yet" to the end of this sentence.
No. By what vague criteria you're citing, one could add a "yet" to the end of practically every sentence, up to and including "You should not be afraid of having your soft tissues eaten in a dark alley by renegade cyborgs".
Preaching paranoiafails. Some things are a threat to Linux at the moment, others are not. Viruses are way down on the list. Users not bothering to implement any kind of access controls, users using horrible passwords, users failing to keep software up to date, users giving accounts to people they shoudn't, users not making backups, users failing to try and learn about the security model that's in place already--these things are a far greater threat at the moment, and whatever security model people form now should be focused on the threats of now and not possible threats of the distant future because unless time-travellers assault your network, these things are not currently a threat.
Last edited by evilDagmar; 03-16-2008 at 04:15 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.