[Novalug] linux update security?

[DonJr]

On Mon, 2008-01-14 at 06:43 -0500, Anthony Soucek wrote:
> Okay, I come from the world of windows, but here's me asking how linux
> can be so secure? 

The model that the OS is based on is part of the reason.


>  It almost appears that it is is considered more
> secure only due to the fact that hackers dont want to bother with the
> 5% of computers in the world running linux ( I heard ms has 75% of pcs
> probably an estimate, an some have to be Mac and BSD etc).

Where you get those numbers?
And what type/class of systems are you talking about?

Even for "Desktop systems" your Linux number may be way low.
For Servers, well that's a different picture all together.

>   I heard
> that someone recently put a backdoor in the source for squirrel mail
> at least at the redistribution level.  I know you can check the md5
> checksums of your updates to guarantee that they are the same as the
> original but I have also heard that two different files can produce
> the same hash result, so a hacker can tweak run the md5 hash until
> they find a variant that produces the same md5, even though the
> content is different. 

See <http://lwn.net/Articles/262090/>
  "The backdooring of SquirrelMail"

>  Also, What about firewalls? 

There are a number of possible "firewall" packages that you can 
select from as a starting point.

  For a simple "desktop" or "portable" type setup, FireStarter looks to
be a good choice.

>  I know that mostly
> services are off unless you turn them on in linux, but I am not so
> sure that is as true for non technical user distros like Ubuntu? 

MORE So. Ubuntu defaults to almost NO externally listing Daemons.

>  I
> know you can manually create a firewall with IP chains or something,
> but if your running Ubuntu or Linspire,  that is probably beyond the
> average users skill level.  And when you run updates, if you get them
> from the community and not the distro vendor, You will be prompted in
> Ubuntu that this update may not be safe because it's from an
> unauthorized source, so theortetically, a bad guy could write some
> small program, and then put out an update that changes it into
> malware.  is anybody else worried about this stuff?  I am not trying
> to get anyone irked here, but I am interested to see if anyone can
> explain how these threats could be impossible or avoided.


Firestarter is an easy install on Ubuntu based systems.
 For Xubuntu there is even a "Getting Started" type pointer document
page in /usr/share/xubuntu-docs/ that recommends installing it.
 ( The directory contains 73 docs by default.)

As for the security of packages.
 Well "OpenPGP" package signing isn't that same as a simple MD5
checksum.
 And that is at least a step in the direction towards a more secure
distribution system.

>  I realize
> linux is more secure than windows xp out of the box, (security by
> obscurity) but I can also see how open source is and invitation to
> trouble.

Please explain this statement/question.

BUT as a starting point.
 Yes "Linux is more secure than windows xp out of the box"
 and in day to day usage afterwords.

 Yes "windows xp" is at best (security by obscurity), since I have never
even heard of a reference to where complete understandable documentions
can be found.
 (-: And I've been working with and programming computers since 1979 :-)

But the finial part of your statement, I don't understand where your
coming from or heading to.

OR {please answer the following question}
  How can open source be an invitation to trouble?


--  
-- 
  Don E. Groves, Jr.

===============================================================
A young man goes into a computer games shop. He says to an assistant "I
want a challenging computer game with lots of graphics. It should be
difficult, confusing and have plenty of contradictions to keep me busy".

The assistant replies "Have you tried Windows XP?"