SoylentNews is people
SoylentNews
Red Hat employee Daniel J. Walsh writes via OpenSource.com
When I was young, Paul Simon released his hit song, 50 Ways to Leave Your Lover. Inspired by this song, I've collected 50 ways sysadmins and laypeople can avoid getting hacked:
"Make a new plan, Stan"
[...]
6. Run applications in the SELinux Sandbox whenever possible--it was a container before containers were cool. Also follow the development of Flatpack, which soon should be developing sandboxing capabilities.7. Don't install or use Flash. Firefox no longer supports it, and hopefully most web servers are moving away from it.
[...]
"Just get yourself free"
[...]
19. [...] I don't do online banking on my phone--only on my Linux computer.
[...]
"Hop on the bus, Gus"21. Run Linux on your systems. When I first hooked my father up with a computer system, I barely got home before his system was infested with viruses. I returned and installed Linux on his system and he has been running it ever since.
[...]
"And get yourself free"
[...]
50. Set up a special guest network for all those Christmas IoT devices your kids receive. I love my Amazon Echo and automated lights and power switches ("Alexa, turn on the Christmas Lights"), but each one of these is a Linux operating system [whose manufacturer's configuration] has questionable security.
Do you take exception with anything he suggests. (Being a Red Hat guy, he is enthusiastic about systemd.) Can you think of something he missed?
(Score: 2) by shipofgold on Monday January 09 2017, @01:23PM
I run windows7 on my wife's and kids computers and Linux on mine. Most of the vulnerability in a home system depends on the user (click on a suspicious link, download a program, etc). I believe Linux is just as vulnerable as Windows given the actions that a user might do, but the user base is so much smaller (and a tad more technical) that it just isn't worth it to attack using the same methods of attack seen in Windows. If Linux were on 50% of the worlds desktops there would be many more incidents. I hope Linux desktop never goes mainstream...
My wife does light WWW browsing on known sites and some Itunes. Chrome and Windows are both set for auto-update on her system, and I never install any of that virus protection crapware. AFAIK there has never been malware on that system. I have backups of her music and other docs, and if I ever see malware it will take an hour or two to reformat and re-install.
Sure there could be a malicious zero day that affects Chrome and causes it to automatically download malware and pwn the computer but that is a risk we will run. There is more risk/headache when I give a credit card to a waiter who copies the number and sells it to the dark web.
The biggest issue on Linux is that installing the latest version of one program may require a full system upgrade due to library dependencies. Drives me nuts to be forced to go from Fedora 20 -> Fedora 24 just to get the latest version of some program that won't run with the libraries installed on F20. Every Fedora upgrade I have ever done was mainly due to getting one program that wasn't supported on the older version.
I am typing this on F20 into Chrome 39. I believe the only way to get a newer version of chrome is to upgrade Fedora...yum update doesn't find any newer versions...updating Fedora is not going to happen on this box...does this make me safer?
(Score: 2) by The Mighty Buzzard on Monday January 09 2017, @01:40PM
Sounds like a rolling-release distro is something you might look into. I wouldn't advise Gentoo because of the huge amounts of butt-pain involved in initial setup or Arch because of systemd but something like Calculate (binary and easily set up version of Gentoo, without systemd and with the option to still use Gentoo's portage tree) might be right up your alley.
My rights don't end where your fear begins.
(Score: 2) by shipofgold on Monday January 09 2017, @03:31PM
Thanks for the advice...I will look into Calculate or Gentoo for my next build. The only issue I have with the smaller distros is what support they will have in 5 years. When I setup a system I typically run it for a long time, put a number of packages on it with configuration files customized to my environment, and tweak it over time to get it just where I want it. My current desktop is from 2008. I just retired a build from 2003 that was running F13....took me 3 weeks to get its replacement configured in a similar fashion, and there are still some things that don't work the way they use to (DHCP updates to DNS...).
Rolling releases may soften the upgrade pain by spreading it out over time. But I suspect that I will still be forced to take updates with "new features" on programs that work just fine for me. Sure I would want security updates to those programs, but I don't want an update that changes the configuration file, or requires new config options be specified that were not there before. I will check it out before whining any more.
Somehow, Windows7 just works when installing later versions of one program...I don't need to take upgrades to one program to get updates on another. Updating Windows7 OS with patches (normally) does not break installed programs. I know Windows7 has its share of headaches, and I don't pretend to know what is going on under the hood. I don't run it on my personal computers, but it sure is easier to do when my wife wants the latest iTunes. I do know the day is coming where Windows10 will rule and updates for programs running on Windows7 are no longer coming...but it was a good long ride on Windows7.
(Score: 2) by The Mighty Buzzard on Monday January 09 2017, @04:54PM
Well, Gentoo isn't exactly a smaller distro and it's been running for quite a long time. Calculate? Shurg. They may or may not be active five years out but it should be a "relatively" painless trip to proper Gentoo if they do fold.
I agree about Windows 7 though. It's quite a solid gaming platform, though I run it in a VM nowadays so I can roll it back a snapshot or two when it becomes necessary.
My rights don't end where your fear begins.
(Score: 3, Interesting) by SDRefugee on Monday January 09 2017, @05:22PM
I'm a retired sysadmin, did 20 years with Windows, but my first love being Linux. I've migrated quite a number of non-tech users to Linux (X/LUbuntu), the first ones being a couple who loved to click on EVERYthing and whose machines were bogged down with so much malware that
it was best to nuke/repave, but they either never made or lost their recovery disks, and the machines in question were older P4s, with a max of
2Gb of ram, thus were not good candidates for Win7. So I gave them a choice: New machine OR Linux.. I gave them a LiveCD and had them
use it via live for a few days, and then asked them if they could live with it.. At first it was like "I guess if I have to" but after using it for a while
both of them found they liked it better.. I've since done quite a few more simply by word of mouth. Ever since Win10 came out and folks are getting that on their new machines, and the word spreads about what a nightmare Windows 10 is with your privacy, I'm looking at starting a
small side-business doing Linux migrations. These Linux installs are set up such that the daily user acct has no sudo perms. When the user wants
to install a piece of s/w from the Ubuntu "store", they log out of their daily acct, login to an "install" acct which has sudo perms for the Ubuntu "store" only, and automatically logs them out after 30 min.. I have an acct on the system called "admin" with sudo perms and the password known only to me, Firefox and Chrome are sandboxed via "firejail", and has TeamviewerQS installed, as a few of these users are waay across town and a couple are in Illinois..
America should be proud of Edward Snowden, the hero, whether they know it or not..
(Score: 0) by Anonymous Coward on Monday January 09 2017, @08:19PM
These Linux installs are set up such that the daily user acct has no sudo perms.
Even the default install in *n?x requires the user to explicitly grant permission for a download/install to be runnable.
This makes the notion of a drive-by infection quite foreign to users of Linux and its kin.
In contrast, any app that hits a Windoze system is automatically executable.
(I understand that MICROS~1 **finally** made auto-execute **not** the default for anything it found on plugged-in/inserted media.)
N.B. Outside of extremely-locked-down kiosks, it's been a long time since I've used M$'s dreck, so perhaps something has changed radically in the permissions/security arena and I am unaware of that.
firejail
More folks need to be aware if that paradigm.
Especially the folks who support the will-click-on-anything types.
I gave them a LiveCD
One of the coolest things ever devised.
I'm looking at starting a small side-business doing Linux migrations
Godspeed to you.
.
On my system (small-ish onscreen windows and large-ish fonts), the hard linebreaks that you have (seemingly randomly) inserted into sentences within your comment look odd.
If you hit Control+PlusSign, a couple of times, you may see your stuff as some other folks do.
The -lack- of -paragraph- breaks (double carriage returns) is also odd.
For easier reading, the length of your comment deserves at least 2 of those IMO.
-- OriginalOwner_ [soylentnews.org]
(Score: 0) by Anonymous Coward on Monday January 09 2017, @08:09PM
Most of the vulnerability in a home system depends on the user
I have had several stories from the blog of Linux advocate Robert Pogson make the front page here.
Pogson is now retired, after a career in Science/Technology.
His final years in the workforce were as a public school teacher.
When he arrived at his first teaching assignment, he found a bunch of Windoze boxes that were loaded to the gunwales with malware and were quite unusable.
The school had no IT staff.
He tried to clean up those boxes himself and get them to a usable state.
Getting them there and keeping them in that state required a significant portion of his time.
Investigating further, he discovered gratis and libre Linux.
He replaced Windoze with Linux and turned the kids loose on those boxes.
His time spent maintaining those same boxes now approached zero.
Same hardware; SAME USERS; different software.
.
I believe Linux is just as vulnerable as Windows
Believe it if you want to. It isn't so.
given the actions that a user might do
Expand your knowledge base.
For starters, investigate Linux permissions.
but the user base is so much smaller
A lot of Windoze users think that Security Through Obscurity is a thing.
It isn't.
Linux[1] is more secure than Windoze because it was designed better.
[1] All *n?x implementations, actually.
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by shipofgold on Monday January 09 2017, @11:08PM
Expand your knowledge base.
For starters, investigate Linux permissions.
Say what? You think running as a normal user doesn't open you up to vulnerabilities? I can stash malware in a 1000 different places under a normal user account that most people with your "expanded knowledge base" would never find (think gconf settings, x-windows startups, etc). That malware would still have access to your unencrypted files, your network for spam relay, be able to hack into your X-server (or wayland server...no experience with that), and do wonderful things like keyboard sniffing, etc. SElinux does a much better job of limiting what it might do, but at the expense of much more complicated setup/management. Most casual linux users I know the first command they run is "setenforce permissive" just to get SElinux out of the way.
I can also create an RPM for some spiffy program that "you just gotta install" and have it put all sorts of fun on your system when you "sudo yum install" it...If Linux were on 50% of the worlds desktops there would be lots of those RPMs or DEBs floating around...don't fool yourself.
Your Robert Pogson reference only proves two things:
1) he didn't know how to lock down Windows.
2) The malware he was finding was all targeting kids on windows...If there was a huge userbase of kids on Linux systems his success wouldn't be nearly as dramatic.
Linux may be more secure (we won't discuss Shellshock, or the OpenSSH vulnerability, or the BIND and sendmail vulnerabilities of old or any of the other configuration gaffs that users might unwittingly make), but many "hacks" are social engineering...Your linux password is about to expire. Please put a new one "here"...I dare you.