Posted on 08/26/2020 6:11:46 AM PDT by ShadowAce
Like all operating systems, Linux isn't perfectly secure. Nothing is. As security guru, Bruce Schneier said, "Security is a process, not a product." It's just that, generally speaking, Linux is more secure than its competitors. You couldn't tell that from recent headlines which harp on how insecure Linux is. But, if you take a closer look, you'll find most -- not all, but most -- of these stories are bogus.
For instance, Boothole sounded downright scary. You could get root access on any system! Oh no! Look again. The group which discovered it comes right out and says an attacker needs admin access in order for their exploit to do its dirty work.
Friends, if someone has root access to your system, you already have real trouble. Remember what I said about Linux not being perfect? Here's an example. The initial problem was real, albeit only really dangerous to an already hacked system. But several Linux distributors botched the initial fix so their systems wouldn't boot. That's bad.
Sometimes fixing something in a hurry can make matters worse and that's what happened here.
In another recent case, the FBI and NSA released a security alert about Russian malware, Drovorub. This program uses unsigned Linux kernel modules to attack systems. True, as McAfee CTO, Steve Grobman said, "The United States is a target-rich environment for potential cyber-attacks," but is production Linux run by anyone with a clue really in danger from it?
I don't think so.
First, this malware can only work on Linux distributions running the Linux 3.6.x kernel or earlier. Guess what? The Linux 3.6 kernel was released eight-years ago.
I suppose if you're still running the obsolete Red Hat Enterprise Linux (RHEL) 6 you might have to worry. Of course, the fix for signing Linux kernel modules has been available for RHEL 6 since 2012. Besides, most people are using Linux distros that are a wee bit newer than that.
In fact, let's make a little list of the top production Linux distros:
CentOS/RHEL 7 started with kernel 3.10. Debian 8 started with kernel 3.16. Ubuntu 13.04 started with kernel 3.8. SUSE Linux 12.3 started with kernel 3.7.10. All these years-old distros started life immune to this attack. All recent Linux versions are invulnerable to this malware.
But, wait! There's more. And this is the really annoying bit. Let's say you are still running the no longer supported Ubuntu 12.04, which is theoretically vulnerable. So what. As Red Hat's security team points out, "attackers [must] gain root privileges using another vulnerability before successful installation."
Once more for Linux to be compromised -- for your system to get a dose of Drovorub -- your system already had to be completely compromised. If an attacker already has root access, you are totally hosed.
Yes, there's a security problem here, but it's not a technical one. In the tech support business we like to call this kind of trouble: Problem Exists Between keyboard And chair (PEBKAC). So yes, if you have a complete idiot as a system administrator, you've got real trouble, but you can't blame Linux for it.
Let's look at another example: Doki, a new backdoor trojan. This time around, although described by many as a Linux problem, it's not. It can only successfully attack Linux systems when whoever set up the Docker containers exposed the management interface's application programming interface (API) on the internet.
That's dumb, but dumber still is that for it to get you, your server's firewall must be set to open up port 2375. Here's a lesson from networking security 101: Block all ports except the ones you must have open. And, while you're at it, set your firewall to reject all incoming connections that are not in response to outbound requests. If your administrator hasn't already done this, they're incompetent.
Finally, let's consider the recent sudo command problem. This sudo security vulnerability was real, it's since been patched, but it requires, again, a case of PEBKAC to work. In this case, you had to misconfigure sudo's set up so that any user could theoretically run sudo. Once again, if you already have an insecure system, it can always get worse.
There's a common theme here. The problems often aren't with Linux. The problems are with totally incompetent administrators. And, when I say "totally incompetent," that's exactly what I mean. We're not talking subtle, small mistakes that anyone might make. We're talking fundamental blunders.
Whether you're running Windows Server, Linux, NetBSD, whatever on your mission-critical systems, if you utterly fail at security, it doesn't matter how "secure" your operating system is. It's like leaving your car keys in an unlocked car, your system will be hacked, your car will be stolen.
So, enough with blaming Linux. Let's blame the real problem: Simple system administrator incompetence.
Tech Ping
If you use Linux your kernel is more than likely 5.xx unless you’ve changed
I run Linux Mint on my computer. The only gripe I have is that it won’t print pdf files. For that, I have to email it to my phone and then print.
Yup, mine’s 5.4.0-42
Running Kubuntu 20.04
Only port open is for the web and I have my firewall set up as per recommendations from Ubuntu.org.
I don’t even know how one would go about setting up sudo to be used by anyone but it’s not set up that way with a standard install. I have to give a password anytime I use it to update, install or work on a protected file etc, as is standard.
Love Linux. Boot time is about 15 seconds on my dual boot windows/linux system and shut down time for Linux is less than 5 seconds. That’s running Plasma desktop which is one of the heavier ones and running an 8 year old Thinkpad. I can shut down 3 browsers, two email clients and a couple of other programs and still, less than 5 second shutdown time. Try that on windows. Walked by my son yesterday and glanced at his windows 10 shutting down and doing an update. 10 minutes or so. I’m updating as I type and will not have to do a restart. I haven’t paid for an operating system or program for well over 15 years.
Update is done:)
I don’t/won’t use “sudo” or “systemd” ever. They’re solutions to non existent problems.
Given Hurricane Laura, I fully expect the MSM will blame Trump for everything that goes wrong, probably including the very existence of the storm. Biden will bask in the adulation of the press as he tells stories that he would have done it better.
Linux just keeps cranking along doing the best job out there, security-wise (as far as mainstream OSes go). BSD Unix is arguably up there too, but is hardly mainstream. But the monthly articles about Win10 troubles have almost stopped -- I know, as the Windows Ping List master -- but the troubles are still manifest.
Life at the top is tough.
That's a curious comment. "systemd" I agree is a broken mess.
But "sudo" is essential if you're going to maintain your system. How in the world do you maintain your system (e.g. updates, apt-get, yum, etc.) without either using sudo or being root?
Will it print anything else? I also run Mint and have no problems printing PDFs or anything else.
I use 'okular' to view them.
The old fashioned way.”su” to a root terminal. When I’m compiling I drop out of a GUI and use CLI so you have nothing open but the shell.
Yeah, that works, too, as long as you know all the root passwords in your network and don't mind typing them. They are all nice and long, and all different, of course... right? :-)
Granted, if you're only using one workstation, "su" and "sudo" are almost equivalent except for which password you type.
[[set your firewall to reject all incoming connections that are not in response to outbound requests.]]
Is there a way to do that with the basic linux GUFW prgram?
So, enough with blaming Linux. Let’s blame the real problem:...
ME- The clueless home user-
LOL Good one- very funny- still laughing
Yep- love linux update system- it runs very very quickly- Windows updates are horrendously slow- have to reboot after downloading and installing a few updates- the updates are very large- and take forever to download- i find I’m doing several hours of downloads (I do them manually in windows 7) whenever i reformat and reinstall windows 7- and then days figuring out all the os tweaks i need-
Not so with linux- install, update in about 20 minutes or less- and all the os tweaks are done very quickly- I’m back to running in just a few hours- but even quicker IF I’ve done a timeshift backup- (Course i could do that in windows too- but my goodness, the backups take several hours in windows compared to just about 10 minutes in linux- )
Does anyone have a much quicker way to back up windows? I’m using Macrium Reflect, but it’s a few hours to run- (I do have a number of large games on it- but still)- I have read about Aomei backerupper, which a lot of folks seem to like- but found out it’s a chinese company?-
It's actually not that bad once you get used to it. It parallizes the startup process, and can be quite a bit quicker than initd. I've gotten to the point that I can create systemd unit files fairly easily, and can get custom processes to work on boot up pretty easily.
I run win 7 pro but never ever let it connect to the internet and have updates completely turned off. It’s running just as nice as it was when first installed. Should be that way forever. The more you update windows, the slower it gets. If I never connect to the internet, I have no reason to install security updates. What am I securing against? network/internet. I don’t connect to either so the OS is isolated. There are only two windows programs I use and neither require a connection.
Something I plan to do with my next full linux install is to create a partition for the Home folder. Makes it super quick to swap flavors.
Windows is different because config files go in all kinds of places plus you have the windows registry. Docs and stuff are easy enough. There is a windows docs & settings export/import but I’ve never used it.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.