Just completed the upgrades.

Four yesterday, but ten today.

I believe that they take immediate effect.

It looks like the best method for handling updates is to wait for notification and then upgrade, rather than constantly checking.

It reminds me a little of Windows Update that I used to use with Vista.

Best wishes.

A

Uuhhh... I'd argue that's too strong of a statement. Some malware has targeted Linux, but it's rarely seen in the wild. Much of it targets ELF executable files.

Nevertheless, because the risk is so low, and the ability to spread is so difficult, I maintain that it's unnecessary to run anti-malware software on a Linux desktop computer.

From all that I have read, I am left with the impression that anti-virus and anti-malware programmes are un-necessary.

However, I am still left wondering regarding the use of a firewall. There is a recommended GUI firewall available. Is installation desirable, or like the AV programmes unnecessary.

Regards.

No, you don't need a host firewall either. Some time ago I wrote a post here explaining why. I'll look for it later when I'm on my PC.

yes they do ,,,,,,except for kernel upgrades and one or 2 others and you will get a notification of needing a reboot for these .
ya if thats what you like ,,,,,,,I turn off update notification and just run once a week or so .or when I feel like it

VINNY

Nice link Steve! I think this part of it sums up what everyone has been saying nicely:

It shouldn't be a normal thing to run antivirus software on a system... if you know there are security bugs in your code you should fix the bugs instead of writing another program to look for people trying to exploit them. You're only stuck with crappy security bugs that you know exist but can't do anything to fix if you're using someone else's proprietary code.

Here's an analogy, just for fun...

You live on a street of houses, and nobody locks their doors when they go away. One day your neighbour's house is burgled, and the evidence showed that that person got in through the unlocked door. Someone got a good look at the intruder, so you have a description. Do you a) lock your doors or b) hire someone to sit in your house with a baseball bat and attack people if they look like the burglar?

If you go for b) your grunt might get it wrong and attack your guests, the intruder could always put on a disguise next time and still come in through the unlocked door, and there's always the possibility that the grunt could be compromised through a vulnerability of his own (blackmail?) and used to break into your house . Oh, and the grunt is a big fellow so he eats lots of your food, and he gets in the way when you're in the house, slowing you down and using up your precious resources!

Found it:

https://www.kubuntuforums.net/showth...server-correct

Thanks, Feathers.

It may not be possible always to fix the problem. For example, The OWASP Top 10 list of common web application vulnerabilities is as relevant today as it ever has been. If you purchase a web application, you may not be able to modify the code for contractual reasons. Or if you develop applications for your business, you may not be aware of how to properly code to limit these risks. For this reason, I always urge organizations to place web application firewalls in front of public-facing servers. You've done this yourself, using mod_security.

My employer, Riverbed Technologies, sells a web application firewall (it's a pretty decent one, too). Chapter 11 of the Stingray Application Firewall User Guide has a good overview of the common vulnerabilities, threats, and ways to mitigate them. [Note: we've embarked on a product-wide renaming exercise; Stingray is now called SteelApp. I mention this because you'll see references to both names for a while.]

I'd argue that ModSecurity (or any other WAF) is different to an antivirus because it's looking for general patterns of bad behaviour rather than exploits for specific bugs that you could just fix. I know a lot of the rules were written by learning from previous known exploits, but the point is that the community also fixed the bugs in that software (like the Joomla JCE exploit, which still has bots running around on the internet)... the rule is then there to catch generic "bugs like this" that you don't know exist yet.

For example, many of the ModSecurity rules are broad, and look for shell commands in POST data or limit the amount of PCRE allowed, because these are general indicators of naughtiness.

You're right, WAF <> anti-virus. I was responding to your statement, "if you know there are security bugs in your code you should fix the bugs instead of writing another program to look for people trying to exploit them."

WAFs exist primarily because people have to run web applications with known bugs and they can't fix the bugs. For example: SQL injection attacks would disappear if all input were validated and the application used only parameterized stored queries to interact with the database. Obviously, people don't do this, and the result is insecure code that can be used to leak information from databases.

I was told once, that the only "true" way to protect ones data is to have it isolated from everything else. A standalone computer that is not connected to anything, and accepts no external input other than the from the keyboard by a trusted operator. Even then, the vulnerability is the operator and his/her computer and programing skills.

Sounds like a true statement, but the problem is a computer that is isolated from everything has very little utility. So, I guess it's always a trade-off of utility against security, a problem that isn't unique to IT, but applies to pretty much everything worth doing.

I also made the point that you only get this kind of problem if you use programs that are crappy (have known security bugs) that you can't fix (proprietary). If you're using a free software app that has a security hole you'd be better off spending your time fixing it than creating some new app that requires just as much maintenance as the original app.

Yes but people don't do it on purpose! You might as well say WAFs exist because humans are fallible and it's useful to have a second line of defence. This is surely different to knowing about a bug and choosing not to fix it.

Ah, the idealism of youth. When you grow up, Feathers (tee hee), you'll surely encounter situations like the following:

1. For reasons beyond your control, your organization has standardized on $THIRD_PARTY_WEB_APP
2. This application must be made available over the Internet, even though it requires authentication (scenario: traveling employees/partners)
3. The provider of this application contractually prohibits you from modifying the code -- even though it's plain HTML on the server
4. The provider is slow to fix bugs

So, Mr. Smartypants, whatyagonnado?

Yeah, fair enough...

I suppose the key thing is that when it's a business decision, not personal, you can't just choose a sensible selection of apps, some MBA makes that decision for you... so you probably end up with the shiniest one, or the one whose company can afford "hospitality".

As for the business case, the guy in that video you posted was right... companies should have a legal obligation to fix security bugs when they are disclosed... or open the source and let users people do it (this doesn't necessarily mean making it freely distributable). Not doing so is negligent.