Discussion on:
View:
Show:
Lowes home improvement warehouses? However, most people who work there never even heard of Linux anyway.
dayjob = Windows, but it's not my choice and I need Excel supported functions
home = rarely Windows and only for gaming these days, the rest of the time, all routers, servers and workstations run non-Windows.
contract = not windows but it's network, server and security related and is my choice
There are more using non-Windows/non-Apple desktops than you might think.
If you meant "at work" then that list is likely much shorter depending on the industry.
home = rarely Windows and only for gaming these days, the rest of the time, all routers, servers and workstations run non-Windows.
contract = not windows but it's network, server and security related and is my choice
There are more using non-Windows/non-Apple desktops than you might think.
If you meant "at work" then that list is likely much shorter depending on the industry.
the article was almost completely devoid of useful information, most of it was pointless, wrong or misleading information. About the only worthwhile one was to use a decent password!
If you're intent on being, at best, destructive or at worst, offensive, some elaboration of the reasons for your outrage would be useful to to the rest of us - unenlightened ignoramuses though we may be.
We have been lead to believe that it is secure and unhackable without any work by some. I have read countless posts on this very site.
I don't need a firewall
I don't need a virus scanner
I'm totally safe beacusae I run.....
Perhaps these peiople would care to add something now....
I don't need a firewall
I don't need a virus scanner
I'm totally safe beacusae I run.....
Perhaps these peiople would care to add something now....
And most die-hard fans (of any thing) demonstrait that by ignoring reality.
You'll also notice that those same discussions usually include many long time Linux and BSD users pointing out that no OS is bulletproof and no software is bug free.
Granted, in the Unix world, a breach is more often due to misconfiguration versus other systems where the majority of breaches are through software flaws.
Now, on average the posix inspired systems do present a higher potential for security and higher default security. Each distribution is a different OS that should be considered seporately though as there are examples of good and bad just like good and bad examples of indavidual programs exist.
As for the three bragging rights starters you provide:
I don't need a [third party] firewall ...
because the built in one is locked by default and is designed with security in mind from the ground up. (anyone saying they don't need a firewall on any network connected OS should be considered suspect)
I don't need a virus scanner ...
Well, that's just silly and anyone preaching as much as an advantage needs to reconsider. Mind you, the AV is 99% there to protect any Windows machines which I may be sending email or other data too.
(If all one cared about was there own machine then there is currently a very low threat for a Linux/BSD based system without AV. I don't gamble on it but other's are free too.)
I'm totally safe because I run ...
This one I haven't seen. People claiming that there OS makes them bulletproof usually go into more technical detail about what makes it so rather than just talking in general; excluding the Cult of Apple who are bulletproof purely for owning Apple products of course.
But it was nice of you to take the opertunity too try and bash people for having different preferences.
You'll also notice that those same discussions usually include many long time Linux and BSD users pointing out that no OS is bulletproof and no software is bug free.
Granted, in the Unix world, a breach is more often due to misconfiguration versus other systems where the majority of breaches are through software flaws.
Now, on average the posix inspired systems do present a higher potential for security and higher default security. Each distribution is a different OS that should be considered seporately though as there are examples of good and bad just like good and bad examples of indavidual programs exist.
As for the three bragging rights starters you provide:
I don't need a [third party] firewall ...
because the built in one is locked by default and is designed with security in mind from the ground up. (anyone saying they don't need a firewall on any network connected OS should be considered suspect)
I don't need a virus scanner ...
Well, that's just silly and anyone preaching as much as an advantage needs to reconsider. Mind you, the AV is 99% there to protect any Windows machines which I may be sending email or other data too.
(If all one cared about was there own machine then there is currently a very low threat for a Linux/BSD based system without AV. I don't gamble on it but other's are free too.)
I'm totally safe because I run ...
This one I haven't seen. People claiming that there OS makes them bulletproof usually go into more technical detail about what makes it so rather than just talking in general; excluding the Cult of Apple who are bulletproof purely for owning Apple products of course.
But it was nice of you to take the opertunity too try and bash people for having different preferences.
2. hiding files and folders as a quick fix
9. Use a nonstandard desktop
True. Pure obfuscation. In the first case, it's great for managing files and folders but "ls -a" is around the second command most people learn so they can find tehre .config files.
In the case of #9, If a different UI allows one to work more efficiently with there machine they great; not security but improved interaction is good too. The real value is using something like Afterstep where it is easy to code a user's program menu in a single config file. Don't allow a cli terminal to be run from the UI menus or key commands and make sure crtl-alt-back dumps you back to the login rather than a cli.
On there own and relying on obfuscation; these are both nothing more than stage magic tricks. Most people responding did point out those two though so I'm not going to hold one writters talking points against the greater community.
9. Use a nonstandard desktop
True. Pure obfuscation. In the first case, it's great for managing files and folders but "ls -a" is around the second command most people learn so they can find tehre .config files.
In the case of #9, If a different UI allows one to work more efficiently with there machine they great; not security but improved interaction is good too. The real value is using something like Afterstep where it is easy to code a user's program menu in a single config file. Don't allow a cli terminal to be run from the UI menus or key commands and make sure crtl-alt-back dumps you back to the login rather than a cli.
On there own and relying on obfuscation; these are both nothing more than stage magic tricks. Most people responding did point out those two though so I'm not going to hold one writters talking points against the greater community.
1. absolutely. Locking your screen and logging out is a must even for the Windwos world (crtl+alt+del -> k = lockscreen).
Obfuscation is hiding something and hoping that no one will find it. Security is being able to leave that thing in plain view and know that no one is able to compromise it in a reasonable amount of time.
2. This is obfuscation not security. You hide your files and "hope" that your co-workers and boss don't find them. This is a good tip keeping files from accidental deletion or keeping your directory clean by keeping non-user related files out of default view. I wouldn't include this as a security item with any confidence though.
3. Good password are hard to come by but something like Keepass/KeepassX helps a great deal and has a nifty generater built in.
4. gnutella does well as a file sharing client but if this list is for the work place, users shouldn't be able to install it anyhow.
5. updates are great; daily even. In the FOSS world, updates are an indication of continued activity in the project and further evolution of the program. The GUI package managers make it easy or a single command at the cli makes it even easier.
6. AV is always a must for my installs for the very reason you mention; My machines play with the Windows machiens in the schoolyard and I don't want them passing on anything they may pickup from a Windows kid.
7. I haven't isntalled SELinux so my experience is limited but if your going to install a SELinux strapped distro then use the thing. Don't be an average user and disable all your security because it's not convenient for you to configure it on your system.
8. Partitions; Always. At minimum, a root / and a /home. More ideally, a root /, /var, /home, /tmp. If you want to get fancy, also include a /boot, /var/www, /var/ftp, /var/log (but now I'm just going overboard). But, at minimum, seporate your /home from your root /.. you'll have the freedom to install your OS without killing your user config and data any time.
9. This I've considered but have never had reason to do yet. If your DE config is part of your restrictions enforcement then there is a whole range of highly configurable window managers to choose from.
10. This applies to any computer; if you don't need the program installed, why is it there? If you have to install the program but don't actually need it, why is it running? On *nix platforms, if you are going to run deamons then also make use of hosts.deny and hosts.allow or your equivalent along with the recommended inetd.conf changes.
But that's just my two cents..
Obfuscation is hiding something and hoping that no one will find it. Security is being able to leave that thing in plain view and know that no one is able to compromise it in a reasonable amount of time.
2. This is obfuscation not security. You hide your files and "hope" that your co-workers and boss don't find them. This is a good tip keeping files from accidental deletion or keeping your directory clean by keeping non-user related files out of default view. I wouldn't include this as a security item with any confidence though.
3. Good password are hard to come by but something like Keepass/KeepassX helps a great deal and has a nifty generater built in.
4. gnutella does well as a file sharing client but if this list is for the work place, users shouldn't be able to install it anyhow.
5. updates are great; daily even. In the FOSS world, updates are an indication of continued activity in the project and further evolution of the program. The GUI package managers make it easy or a single command at the cli makes it even easier.
6. AV is always a must for my installs for the very reason you mention; My machines play with the Windows machiens in the schoolyard and I don't want them passing on anything they may pickup from a Windows kid.
7. I haven't isntalled SELinux so my experience is limited but if your going to install a SELinux strapped distro then use the thing. Don't be an average user and disable all your security because it's not convenient for you to configure it on your system.
8. Partitions; Always. At minimum, a root / and a /home. More ideally, a root /, /var, /home, /tmp. If you want to get fancy, also include a /boot, /var/www, /var/ftp, /var/log (but now I'm just going overboard). But, at minimum, seporate your /home from your root /.. you'll have the freedom to install your OS without killing your user config and data any time.
9. This I've considered but have never had reason to do yet. If your DE config is part of your restrictions enforcement then there is a whole range of highly configurable window managers to choose from.
10. This applies to any computer; if you don't need the program installed, why is it there? If you have to install the program but don't actually need it, why is it running? On *nix platforms, if you are going to run deamons then also make use of hosts.deny and hosts.allow or your equivalent along with the recommended inetd.conf changes.
But that's just my two cents..
"#1: Locking the screen and logging out is important"
OK, well I considered that to be a no-brainer, but its as well to state it expicitly.
"#2: Hiding files and folders is a quick fix"
Yes, but not really a very good one. This will only defeat someone who has more than an introductory level of knowledge althoug it might get someone who has only 30 seconds to find gold. it might be worth doing, but only in combination with other things.
"#3: A good password is a must" This is where I have a big problem with what you have, or more precisely haven't, written. Where is the mention of the root password? I know some of the more user friendly distros don't have a separate root password, but given dektop user's habits of just ignoring the root account, they could easily forget about a strong root password.
"#8: Creating /home in a separate partition is safer"
Probably true, but:
"1) it???s standard, so anyone gaining access to your machine knows right where your data...To solve this problem, you can place /home on a different hard drive or partition all together (making it a partition in and of itself)"
Is a complete non-sequitur. When you put home on a separate partition, it still looks and feels exactly as home were in the 'standard' place (you have to look at mtab, fstab or use mount to detect that its in action), so it does nothing to deter the would-be hacker.
"This is not a task for the weak of heart..."
Come on, if done at install time this almost trivial. I always do this for other reasons and its doesn't really slow me down at all. It would be a different matter on an existing installation, when it might take a whole 5 minutes, or so.
OK, well I considered that to be a no-brainer, but its as well to state it expicitly.
"#2: Hiding files and folders is a quick fix"
Yes, but not really a very good one. This will only defeat someone who has more than an introductory level of knowledge althoug it might get someone who has only 30 seconds to find gold. it might be worth doing, but only in combination with other things.
"#3: A good password is a must" This is where I have a big problem with what you have, or more precisely haven't, written. Where is the mention of the root password? I know some of the more user friendly distros don't have a separate root password, but given dektop user's habits of just ignoring the root account, they could easily forget about a strong root password.
"#8: Creating /home in a separate partition is safer"
Probably true, but:
"1) it???s standard, so anyone gaining access to your machine knows right where your data...To solve this problem, you can place /home on a different hard drive or partition all together (making it a partition in and of itself)"
Is a complete non-sequitur. When you put home on a separate partition, it still looks and feels exactly as home were in the 'standard' place (you have to look at mtab, fstab or use mount to detect that its in action), so it does nothing to deter the would-be hacker.
"This is not a task for the weak of heart..."
Come on, if done at install time this almost trivial. I always do this for other reasons and its doesn't really slow me down at all. It would be a different matter on an existing installation, when it might take a whole 5 minutes, or so.
You mean Linux isn't secure? I thought it was the most secure OS on the planet!
No doubt the BSDs are more secure than Linux by default. BTW I don't trust SELinux, for some inexplicable reason.
I use Linux desktop as well, have exclusively for almost a decade now. I have a lot of clients that use it, too. Most of those wonder why they labored with windows for so long.
One item that should have been in the top 10: run a shorewall-variety firewall. Windows "firewalls" are 'shorewall' types, i.e. running in/on the same machine you intend to protect.
There's numerous firewalls for Linux, most basically manipulating iptables. You can either customize an iptables config, or use one of the GUI apps for the task.
Let's see, there's guard dog, firestarter, shorewall, nufw, ...I'm probably forgetting more than I'm remembering here. Lots of choice.
I use shorewall on other's desktops.
I use Linux desktop as well, have exclusively for almost a decade now. I have a lot of clients that use it, too. Most of those wonder why they labored with windows for so long.
One item that should have been in the top 10: run a shorewall-variety firewall. Windows "firewalls" are 'shorewall' types, i.e. running in/on the same machine you intend to protect.
There's numerous firewalls for Linux, most basically manipulating iptables. You can either customize an iptables config, or use one of the GUI apps for the task.
Let's see, there's guard dog, firestarter, shorewall, nufw, ...I'm probably forgetting more than I'm remembering here. Lots of choice.
I use shorewall on other's desktops.
Just because something is more secure / the most secure, doesn't mean (by any stretch of the imagination) that it is totally secure... The only way to make a PC totally secure is to never connect it to the 'net, keep it in a locked room, with a very long password, make sure nobody else can touch it, let alone use it, and never install any 3rd party programs. Even then, you have to hope nobody breaks into the "secure room" to compromise it. In short, nothing is totally secure.
(I realise you're probably joking, but it's a point worth making).
(I realise you're probably joking, but it's a point worth making).
There is another alternative to SELinux and Apparmor - Bastille (link: http://bastille-linux.sourceforge.net/ ) - it's another "secure your system" program, but it's an interactive one. It asks the user if they want to do an action (say turning off services) - but it explains what they are, what it does, implications, and offers a default option (with an explanation on why it's a good option). I recommend it over most others, simply because you actually *learn* what it's doing and why, rather than finding that it's done everything for you with no explanation.
http://bastille-linux.sourceforge.net/screenshot.htm
That's a small screenshot of one of the Bastille options - at the top it has the question ("do you want to enable kernel-based stack execution prevention") which can be daunting, but below it it gives you a description of what that option is, what it does, and what disabling it does, and how to undo it.
http://bastille-linux.sourceforge.net/screenshot.htm
That's a small screenshot of one of the Bastille options - at the top it has the question ("do you want to enable kernel-based stack execution prevention") which can be daunting, but below it it gives you a description of what that option is, what it does, and what disabling it does, and how to undo it.
Last time I was looking at it for Mandriva 2007.0, it was supporting Mandriva 2006 or 2005. I almost switched to Debian purely to have the more current Bastille support.
I've not checked recently for the most current supported distributions list.
I've not checked recently for the most current supported distributions list.
It appears that the last release was September, with another due soon. I have to admit, I normally use Debian, so I don't suffer that problem :P.
Heck, if I had the knowledge or time to learn it, I'd write the damn Mandriva 2008.1 profile sheet for Bastille myself. Too many other projects, hopefully Tripwire keeps the gaurd up until I get back around to a Bastille box. (maybe I'll do a Deb vm on the weekend so I can finally play with Bastille now that I think about it..)
Jack nails it again! The only thing I would add, for both Unix and Windows, is to implement least privilege! BEyondTrust has both products for least privilege. PowerBroker is just awesome! www.beyondtrust.com
Derek Melber, MVP
Derek Melber, MVP
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
