[nfbcs] Sonar or Vinux

Littlefield, Tyler tyler at tysdomain.com
Fri Jul 25 14:57:07 UTC 2014 

First point: Linux boxes are really really valuable to an attacker. they 
are brute forced constantly and they are pretty frequently taken over, 
either to install malware on the site, as an ssh launchpoint or anything 
else. Your quote was a bit garbled, so I'm afraid you'll have to provide 
a TL/DR version.

As to your point regarding firewalls, you say that it's only use is to 
keep open services hidden, which protects the surface area of any 
system. That is its' goal and that is what it does, along with rate 
limiting and other various features that you mentioned. You can't write 
that off as trivial because a smaller surface area is pretty damned 
useful. How nice would it be if portmap and all the other crap that came 
installed on Ubuntu by default was just hidden behind a firewall, or 
even bound to loopback?

I'm not pushing Windows over Linux in terms of security. I'm just 
pointing out that you, along with everyone else who thinks Linux by 
default is faster and more secure are delusional. They both have their 
pros and cons, but to just run stock Linux and then "know" that you're 
hackerproof is incredibly insane. I have to laugh every time I see this 
idea, because people are selling junk laptops with Vinux on it and 
trying to tell the world that because Vinux is Linux it's more secure 
than anything else. Nevermind the fact that they tell you not to update 
or limit your updates. That sounds like a pretty big problem to me!

What this boils down to is this: each system and distro has various 
steps that need to be taken to make it more secure. You need to be aware 
of what you are installing on Linux just as on windows. (I'll note you 
totally blew off the mention of Microsoft's app store, also). If you 
want security, you do need to configure a sane firewall with good rules 
and policies and configure your system to work with your needs. With 
perhaps the exception of systems like Arch or the BSD systems, you are 
going to have a surface area no matter what you install.

On 7/25/2014 10:45 AM, John G. Heim wrote:
> First point: About botnets. Quoting from research done at Northwestern 
> University 
> (http://www.cs.northwestern.edu/~ychen/Papers/BotEvent_rpt1.pdf)
>
> --- begin quote ---
> We found 92% of the bots are identified
> as Windows machines by p0f [3]. And among the Windows
> machines, 90.8% of the bots are Windows 2000 or XP. This
> result supported the conventional wisdom that botnet army
> are mainly comprised Windows machines.
> We also did the similar analysis at per event level. We
> found for all the 43 events the dominated operating system
> are Windows. We did not observe any events which mainly
> consist of other types of machines. Although, there are some
> rumors that some botnets are Linux or Unix based, based
> on our finding, we believe the percentage of non-Windows
> based botnets in the botnet population are really low.
> --- end quote ---
>
> That could hardly be more clear. The fact that many/most linux boxes 
> have compilers is irrelevant to the botnet  issue.  A hacker doesn't 
> need a compiler. All he has to do is install binaries. In fact, if he 
> needs a compiler, he can just install it and it doesn't matter what 
> platform it's on. The fact is
>
> Secondpoint: No, linux isn't secure due to  obscurity. It's just that 
> turning off the portmap daemon is a trivial point. So is installing a 
> firewall -- if you think that will help.   The default Windows 
> firewall doesn't really supply a significant amount of additional 
> security. Actually, a firewall on a desktop machine, no matter how 
> well configured supplies very little additional security. Firewalls 
> are mainly valuable for two things. One is to protect servers from 
> brute force attacks. Secondly, to protect networks of desktops so that 
> if someone enables a service on their desktop, a hacker still can't 
> get to it.
>
> Third point: I didn't say there is no anti-virus software for linux. I 
> said most people don't bother with it because it's not needed. If you 
> stick to programs from the official archives, you are not likely to 
> get hacked via the kind of things anti-virus software protects you 
> from. Clamav works by scanning files for the signature of known 
> viruses. But those signatures simply are not going to be found in 
> packages downloaded from the official archives. It's a waste of 
> resources to bother scanning them. The primary use of clamav 
> anti-virus is to scan incoming email and downloads on linux servers 
> for users who run Windows. Mail attachments are scanned on the linux 
> server before they get to the Windows end users.
>
> Forth point: While running programs downloaded only from an official 
> archive doesn't absolutely guarantee there is nothing malicious in the 
> code, I have never heard of malicious code getting through to an 
> official archive.  If that has ever happemned, it's extremely rare.  
> If you have evidence to the contrary, I'd like to see it.
>
> Honestly, I wish you folks would consider whether you really believe 
> Windows is more secure or if you are just arguing because it's what
> you want to believe.
> l linux archives is way, way safer than the stuff you  the equivalent 
> packages for Windows.
>
> On 07/24/14 21:47, Littlefield, Tyler wrote:
> > So basically Linux is secure by obscurity. Actually, plenty of Linux
> > boxes are on people's botnets. They're actually high targets because
> > they usually have a compiler, have lots of tools ready to use and are
> > great launchpads for attacks. Plenty of people also do run antivirus 
> for
> > Linux, it's called clamav. Microsoft does have an app store, it was
> > introduced with windows 8. Finally, just because there is a central
> > archive doesn't mean that molicious software can't be installed. Just
> > look at heartbleed (which has client and messenger implications), etc.
> > that wasn't molicious, but it's not like the debian archives did
> > anything to solve that problem. By your count, there are thousands of
> > packages that can be installed, totaling I'm sure a few hundred million
> > lines of code all told. Do you honestly believe that all of that 
> code is
> > checked? Because if not, then your archive, which is supposed to make
> > Linux more secure than windows is just that, an archive and holds no
> > extra benafit for the user beyond that of a central repository from
> > which to download software.
> > On 7/24/2014 10:17 PM, John G. Heim via nfbcs wrote:
> >> Has anyone ever heard of someone's system getting hacked because they
> >> installed linux and the portmap daemon was turned on by default? That
> >> kind of thing just doesn't happen. It's like saying Ohio is a better
> >> place to live then massachusetts  because Ohio is easier to spell.
> >> Most people wouldn't consider it a significant factor. Neither is the
> >> Windows default firewall. These are trivial points that no real
> >> security expert would place much value on.
> >>
> >> The bad guys out there aren't looking around for machines with the
> >> portmap daemon running. If you are running a high profile target,
> >> you'd better turn that off. But nobody is going to hack your desktop
> >> machine if you leave the portmap daemon running. On the other hand,
> >> they are trying to hack into your machine by sending you a virus.
> >> Which is why it's crazy to say it doesn't matter that the vast
> >> majority of viruses are written for Windows. Is there anyone on this
> >> list who doesn't know someone who's Windows machine got a virus? Have
> >> you ever heard of a linux machine being part of the bot-net of some
> >> hacker in Russia? Those are all Windows machines.
> >>
> >> It's crazy to say that open source software isn't safer than
> >> proprietary. Most linux systems don't even run virus software and
> >> that's because  almost everything you install is from an official
> >> source. Everything you need is in the Red Hat, debian or ubuntu
> >> archive. The concept is a little like Apple IOS. You have to unlock
> >> your IPhone to install software from a place other than the Apple
> >> Store. Well, it's not quite so difficult on a linux system to install
> >> software from an unofficial source, But if you stick to the official
> >> archives, which almost everybody does, you will be fine. Maybe you
> >> also install from the dropbox or skype archives. But you're not going
> >> to get a virus from them either. If you run linux, there are literally
> >> thousands of programs, totally free, at your fingertips, that you can
> >> install with complete confidence. Where is Microsoft's package 
> archive?
> >>
> >> On 07/24/2014 09:43 AM, Jude DaShiell via nfbcs wrote:
> >>> With various Linux distributions, it's possible to operate using a
> >>> livecd or livedvd or flash drive.  if the first two are closed 
> session
> >>> media and the flash drive is write-protected before booting that can
> >>> make life slightly more difficult for hackers.  I know sighted people
> >>> who only do banking transactions using a liveCD or livedvd for this
> >>> reason.  I don't recall any livedvd distributions of any version of
> >>> windows ever being available.  Not only that, in order to even 
> install
> >>> Windows 7 you have to have a hard drive permanently installed in a
> >>> computer you cannot use a drive sled.  I know this since that was the
> >>> first way me and another programmer tried installing windows 7.
> >>>
> >>> On Thu, 22 May 2014, Nancy Coffman via nfbcs wrote:
> >>>
> >>>> You make a good point. It is also noteworthy that people who want to
> >>>> invade our privacy and hack our security spend time staring at
> >>>> security code.
> >>>>
> >>>> Nancy Coffman
> >>>> Sent from my iPhone
> >>>>
> >>>>> On May 22, 2014, at 11:49 AM, "Littlefield, Tyler via nfbcs"
> >>>>> <nfbcs at nfbnet.org> wrote:
> >>>>>
> >>>>> Hello:
> >>>>> My experiences come from watching the Vinux list a while back,
> >>>>> though this may just be the point of view of some of the more
> >>>>> radical vinux folks. I know a lot of people switch for various
> >>>>> reasons, but for a long time, at least in the Vinux world a lot of
> >>>>> people were switching over for some vague hope of higher security.
> >>>>> This actually brings up a fun topic though, so I'm going to run
> >>>>> with it, because I'm really curious what other people's thoughts 
> are.
> >>>>>
> >>>>> I do not believe it really depends on how many viruses are written
> >>>>> for what OS when you talk about security in general. My view of
> >>>>> security is a system that is provided to the end-user with a very
> >>>>> minimal attack surface. Obviously the only way to truly avoid that
> >>>>> attack surface is to just unplug the system in question. So, lets
> >>>>> look at this scenario. Many unix systems come with nothing at all
> >>>>> enabled, which is great. Others come with stuff like Portmap for
> >>>>> RPC, nfs and etc already enabled. Windows also comes with services
> >>>>> enabled.
> >>>>>
> >>>>> The bonus points I'll give to Windows is they have a firewall, with
> >>>>> a default slightly restrictive policy enabled that helps with some
> >>>>> of these issues, where as any installation of Ubuntu or even Debian
> >>>>> does not have a default iptables ruleset to prevent access to these
> >>>>> attack vectors.
> >>>>>
> >>>>> Finally, Windows has pretty much kept up in terms of technologies
> >>>>> like ASLR, etc. It might be easier to say that one system is by
> >>>>> default more secure than another, but in this case I think it is
> >>>>> -really- important to specify which Linux or even Unix derivative
> >>>>> we are speaking of here. I also believe that with work, any system
> >>>>> can be secured; out of the box security is hardly a viable options
> >>>>> for end-user systems.
> >>>>>
> >>>>> Finally, I want to touch on the open source comment you gave,
> >>>>> because I find that really interesting. I understand the ideas of
> >>>>> open source vs closed source to a point, but I would argue that
> >>>>> having millions of people staring at the code for a long time
> >>>>> doesn't necessarily mean more secure code. Case and point: the most
> >>>>> recent Open SSL heartbleed bug, which had apparently existed since
> >>>>> late 2011. while I believe there is a greater chance of finding
> >>>>> these vulnorabilities, the issue is going to be hampered by the
> >>>>> vast amount of code that libraries like Open SSL contain. I would
> >>>>> also argue that having people stare at the code doesn't even mean
> >>>>> that those people are going to be compitant in terms of security.
> >>>>> Really truly detecting security problems through a huge codebase
> >>>>> requires people who know about security to fully audit the code, as
> >>>>> is the current case with the Open BSD fork of Open SSL, as well as
> >>>>> projects like Truecrypt, etc.
> >>>>>
> >>>>>> On 5/22/2014 11:51 AM, John Heim via nfbcs wrote:
> >>>>>> I doubt the vinux or sonar developers ever put any thought into
> >>>>>> why people might want to try linux. Why would they care if people
> >>>>>> are trying it because they think it will help them get a job in IT
> >>>>>> or because they think it's more secure?
> >>>>>>
> >>>>>> Your experience with people trying linux is certainly far
> >>>>>> different from mine. I don't know anybody who has tried it because
> >>>>>> they think it's more secure. Everybody I know who has tried it has
> >>>>>> done so because they are are already in systems admin and want to
> >>>>>> find out about linux.
> >>>>>>
> >>>>>> PS: I kind of object to your saying linux is not a more secure
> >>>>>> operating system as if that's an established fact. That's a huge
> >>>>>> matter of debate.  There is no denying that the vast majority of
> >>>>>> viruses are written for Windows. I know the usual response is that
> >>>>>> that is only because Windows is so much more popular than linux.
> >>>>>> But then you have to get into theoretical issues about open source
> >>>>>> versus proprietary software. I side with the open source people on
> >>>>>> that issue too.
> >>>>>>
> >>>>>>
> >>>>>>> On 05/22/14 10:21, Littlefield, Tyler via nfbcs wrote:
> >>>>>>> I don't think the goal was to aid in getting Linux-based
> >>>>>>> employment; I think the overall goal was to provide an accessible
> >>>>>>> distro. Generally you'll hear lots of rantings and ravings, but
> >>>>>>> most people seemed to switch because they think linux is more
> >>>>>>> "secure" by default with no bases for that assumption. At least
> >>>>>>> it's generally what I hear and see advertised by all the
> >>>>>>> blindness companies that are selling "custom" computers with
> >>>>>>> Vinux installed.
> >>>>>>>> On 5/22/2014 11:15 AM, Jim Barbour via nfbcs wrote:
> >>>>>>>> I will point out that this is why I'm not a fan of either
> >>>>>>>> distro.  The
> >>>>>>>> blindness world isn't big enough to command a lot of 
> attention. The
> >>>>>>>> attention we get should be focused on making the distros 
> themselves
> >>>>>>>> easier for us to use.  Efforts that try to fork distros, like
> >>>>>>>> Ubuntu
> >>>>>>>> and arch, into blindness focused ones, like vinux and sonar, 
> do not
> >>>>>>>> really help the situation.
> >>>>>>>>
> >>>>>>>> Further, a blind person isn't going to be able to require 
> that all
> >>>>>>>> unix machines they manage run a blindness friendly distro; so 
> this
> >>>>>>>> definately doesn't help blind folks get LInux related 
> employment.
> >>>>>>>>
> >>>>>>>> JIm
> >>>>>>>>
> >>>>>>>>> On Thu, May 22, 2014 at 11:02:19AM -0400, Littlefield, Tyler
> >>>>>>>>> via nfbcs wrote:
> >>>>>>>>> That's pretty much how it happened. Bill was basically project
> >>>>>>>>> lead and took
> >>>>>>>>> over everything with some guy from Ubuntu who was back and
> >>>>>>>>> forth, think his
> >>>>>>>>> name was tony. Or maybe that was the main guy, it's been a
> >>>>>>>>> while. Eventually
> >>>>>>>>> he just gave it up. My biggest issue is a lot of people call it
> >>>>>>>>> a "secure
> >>>>>>>>> OS," including commtechusa if you care to look at that site. I
> >>>>>>>>> was just
> >>>>>>>>> curious what they offered. Last I looked, Vinux recommended not
> >>>>>>>>> updating and
> >>>>>>>>> they were on an older version of Ubuntu--both not really paths
> >>>>>>>>> to security.
> >>>>>>>>> The updates was because things would break, but that still
> >>>>>>>>> means you're not
> >>>>>>>>> all that secure if you ever leave your house and your personal
> >>>>>>>>> router.
> >>>>>>>>>> On 5/22/2014 9:44 AM, John Heim via nfbcs wrote:
> >>>>>>>>>> My experience as of about 1 year ago was that sonar was a way
> >>>>>>>>>> more
> >>>>>>>>>> polished product than vinux. I've seen a lot of questions
> >>>>>>>>>> about vinux like
> >>>>>>>>>> when is the new version coming out, why is it still based on
> >>>>>>>>>> some old
> >>>>>>>>>> version of ubuntu. Like so many open source projects, there
> >>>>>>>>>> was probably
> >>>>>>>>>> one person, maybe two, driving the project and when they ran
> >>>>>>>>>> out of steam,
> >>>>>>>>>> the project slowed to a crawl.
> >>>>>>>>>>
> >>>>>>>>>> I was so impressed with sonar that I put it on my machine at
> >>>>>>>>>> home. And I
> >>>>>>>>>> put it on what I call my drop dead emergency machine here at
> >>>>>>>>>> work. Sonar
> >>>>>>>>>> is that solid.
> >>>>>>>>>>
> >>>>>>>>>> The one problem I have with sonar is that they are switching
> >>>>>>>>>> from basing
> >>>>>>>>>> their distro on ubuntu to basing it on arch linux. I will
> >>>>>>>>>> probably drop
> >>>>>>>>>> sonar once that conversion is complete. I have to stay with a
> >>>>>>>>>> debian fork
> >>>>>>>>>> because my job is to support debian.  What I'd really like is
> >>>>>>>>>> to have
> >>>>>>>>>> debian be so accessible that we wouldn't need either sonar or
> >>>>>>>>>> vinux. Well,
> >>>>>>>>>> one can dream.
> >>>>>>>>>>
> >>>>>>>>>>> On 05/21/14 20:05, David Andrews via nfbcs wrote:
> >>>>>>>>>>> Hi Jim et al:
> >>>>>>>>>>>
> >>>>>>>>>>> I have a Windows XP laptop that I am thinking of installing a
> >>>>>>>>>>> Linux
> >>>>>>>>>>> system on, to play and learn a little.  What are
> >>>>>>>>>>> advantages/disadvantages to Sonar versus Vinux?
> >>>>>>>>>>>
> >>>>>>>>>>> Dave
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> _______________________________________________
> >>>>>>>>>>> nfbcs mailing list
> >>>>>>>>>>> nfbcs at nfbnet.org
> >>>>>>>>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> >>>>>>>>>>> To unsubscribe, change your list options or get your account
> >>>>>>>>>>> info for
> >>>>>>>>>>> nfbcs:
> >>>>>>>>>>> 
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/jheim%40math.wisc.edu
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> nfbcs mailing list
> >>>>>>>>>> nfbcs at nfbnet.org
> >>>>>>>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> >>>>>>>>>> To unsubscribe, change your list options or get your account
> >>>>>>>>>> info for
> >>>>>>>>>> nfbcs:
> >>>>>>>>>> 
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com
> >>>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> Take care,
> >>>>>>>>> Ty
> >>>>>>>>> http://tds-solutions.net
> >>>>>>>>> He that will not reason is a bigot; he that cannot reason is a
> >>>>>>>>> fool; he that dares not reason is a slave.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> nfbcs mailing list
> >>>>>>>>> nfbcs at nfbnet.org
> >>>>>>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> >>>>>>>>> To unsubscribe, change your list options or get your account
> >>>>>>>>> info for nfbcs:
> >>>>>>>>> 
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/jbar%40barcore.com
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> nfbcs mailing list
> >>>>>>>> nfbcs at nfbnet.org
> >>>>>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> >>>>>>>> To unsubscribe, change your list options or get your account
> >>>>>>>> info for nfbcs:
> >>>>>>>> 
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com
> >>>>>>>>
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> nfbcs mailing list
> >>>>>> nfbcs at nfbnet.org
> >>>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> >>>>>> To unsubscribe, change your list options or get your account info
> >>>>>> for nfbcs:
> >>>>>> 
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com
> >>>>>>
> >>>>>
> >>>>> --
> >>>>> Take care,
> >>>>> Ty
> >>>>> http://tds-solutions.net
> >>>>> He that will not reason is a bigot; he that cannot reason is a
> >>>>> fool; he that dares not reason is a slave.
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> nfbcs mailing list
> >>>>> nfbcs at nfbnet.org
> >>>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> >>>>> To unsubscribe, change your list options or get your account info
> >>>>> for nfbcs:
> >>>>> 
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/nancy.l.coffman%40gmail.com 
>
> >>>>>
> >>>> _______________________________________________
> >>>> nfbcs mailing list
> >>>> nfbcs at nfbnet.org
> >>>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> >>>> To unsubscribe, change your list options or get your account info
> >>>> for nfbcs:
> >>>> 
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/jdashiel%40shellworld.net 
>
> >>>>
> >>>>
> >>>>
> >>> jude <jdashiel at shellworld.net>
> >>>
> >>>
> >>> _______________________________________________
> >>> nfbcs mailing list
> >>> nfbcs at nfbnet.org
> >>> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> >>> To unsubscribe, change your list options or get your account info for
> >>> nfbcs:
> >>> 
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/jheim%40math.wisc.edu
> >>>
> >>
> >> _______________________________________________
> >> nfbcs mailing list
> >> nfbcs at nfbnet.org
> >> http://nfbnet.org/mailman/listinfo/nfbcs_nfbnet.org
> >> To unsubscribe, change your list options or get your account info for
> >> nfbcs:
> >> 
> http://nfbnet.org/mailman/options/nfbcs_nfbnet.org/tyler%40tysdomain.com
> >
> >
>


-- 
Take care,
Ty
http://tds-solutions.net
He that will not reason is a bigot; he that cannot reason is a fool; he that dares not reason is a slave.

More information about the NFBCS mailing list