Re: This is quite interesting

I'm by no means an expert in these things but from what I have read is this the chronology?

A co founder of scio security http://www.linkedin.com/companies/scio-security

discovers a flaw in ubuntu and puts it on twitter at 6.42am on 8th July. I assume he also previously told ubuntu about it, but I can't see anything like that. I assume he's done that to drum up business of some sort.

The H then reports that the patch had "already" been released (apparently the previous day when I got it by automatic update). https://lists.ubuntu.com/archives/ub...ly/001117.html

Yes, it seems a good illustration that there can be vulnerabilities in ubuntu but in publishing it after it's been fixed doesn't it mean that particular horse has probably already bolted? Alternatively isn't it a good illustration also of how quickly these things get fixed?

No doubt you will correct me if I'm wrong, but doesn't the use of ssh mean the attacker has to have achieved remote login first?

Re: This is quite interesting

Discovered and reported are two different things that occur at two different points in time. It was discovered, and a patch was released before the exploit in this case but you can't make the assumption that everyone in the world will have the patch installed immediately. (this is true no matter which OS we are discussing). You also make the assumption that this security person is the first to discover it, which may or may not be true. You don't need ssh necessarily, you can bundle with another exploit or mask it in a script as a trojan horse.

My point this whole time is that all operating systems are vulnerable to some degree, this is just supporting evidence.

Re: This is quite interesting

As I say, I don't claim to be an expert in these things which can sometimes make it difficult to differentiate facts from technobabble. I agree with you that no computer is immune, everything about it is man-made, and man is imperfect, and above all the weakest link is the nut holding the keyboard.

I'm not doubting what you say in any way shape or form. As an aside, recognising there will be people who haven't updated their system, and are thus potentially vulnerable, I'm not sure whether I would want to employ a security firm whose co-founder elects to broadcast the exploit, and explains how to do so, on twitter, although one can see what he's trying to achieve

http://sciosecurity.com/

Re: This is quite interesting

I thought that was worth repeating. Millions of users have been "raised" by windows without any sense of security. Now as windows tries to tighten up, the users will continue to be frustrated for some time. I don't think it will matter how pretty the warning dialogs are. I remember my first few months on linux and I was always getting stumped by some permissions problem.

Re: This is quite interesting

But don't forget how windows users and power users claimed they were angry because Vista asked them to enter their admin password quite often. How many people looked for a solution online to disable that feature or just found it and disabled it on their system settings window? Like it or not, Linux won't ever allow you to do that just because someone felt it was unnecessary. That makes me trust Linux more than Windows, but it's not the only reason why I do so.

I know there was en OOo exploit that would affect any user using any OS, but did all versions of OOo include that nasty bug that could be exploited? That's something I'd like to know before we think it's always necessary to upgrade your apps and not stay where you are or even downgrade your installation packages.

Re: This is quite interesting

That sounds right to me, too.

I also have pretty close to zero expertise on the subject of computer security. But, when I contemplate the possibility of something bad happening to my Linux systems, my thoughts drift to those elite characters who are entrusted with entering packages into our repositories. Am I crazy, or if one those folks goes off the deep end and decides to screw us all, could we find ourselves apt-get dist-destroying our system?

Re: This is quite interesting

I think about that too dibl. There are some weak points, security wise. Still it's amazing how much you really can trust most people. What you say, just proves that the world is not as bad as some people would make out.

Re: This is quite interesting

I've always wondered about what is worst, a security exploit or a really broken computer? Apart from stolen banking information, I would say that a broken computer is the worst. Now what that means is that one shouldn't always upgrade, because along with the upgrades comes changed packages which often break the system.

BTW: That exploit which was broadcast on Twitter is a bit suspect to me. For one thing the security company didn't bother to mention what systems were effected, using only the word "Ubuntu". Well what's that supposed to mean!? Ubuntu "what"? As a reality check, I looked at some "Ubuntu" systems here and only one out of three had that file on them. To me the report comes off as trolling.

Re: This is quite interesting

It can also result in the complete destruction of your real life. People have lost their homes, businesses, and families have been broken apart because they encountered crooks over the Internet. There are some extreme but rather obscure cases I could cite, but digging all that information up would take some time.

Re: This is quite interesting

I would suggest that this thread has been one of the most controversial and dynamic threads in the history of this forum, but am pleased that it has now swung back into one of positive debate.

The questions the thread raises, Linux Security, however, has the potential to affect all of us no matter what level of experience we have, and I question whether it's reached the stage where we trivialise it by keeping it in social/casual.

Let's get real here, we are not immune to the online threats that exist today, so let's deal with those issues calmly.

Perhaps a new thread (or section) could be set up under security or some other heading so that any newcomers can be advised that contrary to what they may have heard that they are not immune to online threats and the practical steps they can take to avoid them can be identified.

The reason I say this is that an element of newcomers will join us in the belief that they are immune from malware, whereas they are not. If a realistic checklist of steps that can be wisely taken is available, that can only help here. It would certainly help me.

Any thoughts, everyone?

Re: This is quite interesting

That sounds like a great idea, Liquidator -- thanks!

I would say a "Security Knowledge Base" forum, with factual information about real threats to Linux systems, would be a useful addition to this site.


I'd be happy to skip the accusatory rhetoric and personal integrity challenges, BTW.

Re: This is quite interesting

This thread had indeed been a wild ride.

I agree that a special forum for security could be useful - especially if it is kept to what dibl suggests:
I know there can be different opinions about what is "factual" because a lot of theory always creeps in, however this is an unusually civilized site, so I'm sure we can do it.

Re: This is quite interesting

Yes we can, but only if we're willing to keep our debates factual and civil.

Re: This is quite interesting

I swear I didn't mean it to be so controversial

The original topic of this thread was not security. The original topic was more about user expectations, especially as they relate to the exchange linked in post #1 of this thread. Security is a related issue though because the bugs and lack of package maintenance which the OP of that thread complained about can sometimes become exploitable vulnerabilities. This thread was quickly dragged off into the security debate by some very polarizing opinions, which I believe led some to become more reactionary and less thoughtful in their comments.

+1

+1

Generally speaking Linux desktop users are more likely to fall victim to phishing or man-in-the-middle attacks than an actual virus, but that does not mean it is impossible.

Someone already mentioned the IRC daemon which was compromised at its primary distribution site. Gentoo shipped the compromised daemon to its users. It would not have happened if the binaries had been signed and if the distribution site had included an MD5 hash of the original file.

Yes, yes, by all means! However if someone makes a statement which is provably false then I don't think providing the evidence of falsehood should be considered accusatory rhetoric. We definitely don't need this fine community polluted with personal attacks. Our goal should be to inform users with the facts as best we understand them.

Re: This is quite interesting

Well stated, and I'm in full agreement.