[Novalug] linux update security?
nick at hackermonkey.com
Mon Jan 14 09:33:59 EST 2008
A long thought out response
Anthony Soucek wrote:
> Okay, I come from the world of windows, but here's me asking how linux
> can be so secure? It almost appears that it is is considered more
> secure only due to the fact that hackers dont want to bother with the
> 5% of computers in the world running linux ( I heard ms has 75% of pcs
> probably an estimate, an some have to be Mac and BSD etc).
You make two points here, one is the percentage of machines running
Linux, the second is that hackers won't bother with a low percentage. I
really can't tell you the percentage of machines running Linux on the
internet, but your numbers will vary widely depending on what sub group
you focus on. Email servers? Lots. Web servers? Lots. Servers running
Exchange? None :-)
The second point about being a less attractive target, well now you get
into hacker/bad guy mentality and I just don't think its that easy.
There was a panting stolen from a Brazillian museum just recently. They
stole some Picassos. There is a pretty low percentage of art museums in
the world, and an even lower percentage of Picasso paintings. I do
believe that the harder it is to break into, a criminal will most likely
pick an easier target, but I don't believe that you can simply
discourage everyone from a hack attempt because of your choice of OS.
Sure most criminals will go after the low hanging fruit, but you can't
tell me that most of the major credit card number database thefts were
run on XP machines...
> I heard
> that someone recently put a backdoor in the source for squirrel mail
> at least at the redistribution level. I know you can check the md5
> checksums of your updates to guarantee that they are the same as the
> original but I have also heard that two different files can produce
> the same hash result, so a hacker can tweak run the md5 hash until
> they find a variant that produces the same md5, even though the
> content is different.
True, someone did hack into SquirrelMail. I don't run it so I don't have
links, someone else can post. Yes, MD5 checksums are not the most secure
things in the world. And yes, it is theoretically possible for two files
to have the same checksum. (see: http://en.wikipedia.org/wiki/MD5) But
think about this for a minute, you are taking a stream of input (the
file) and generating a checksum, then trying to create an entirely
different file, to generate the same checksum using a different stream
that contains SPECIFIC data. That is, you aren't just generating random
text to make a duplicate MD5, you want the original source + your hack
to generate the same checksum. Not a trivial task. Which if you believe
your first thing about going after low percentages, this is not a very
attractive target for ease of exploit ;-) There are several other
checksum programs out there, and I think soon you'll start seeing the
others more frequently. Many of the sites I download from feature two or
three different hashs (MD5, SHA) to further limit the chances of a
trojan making its way in.
> Also, What about firewalls? I know that mostly
> services are off unless you turn them on in linux, but I am not so
> sure that is as true for non technical user distros like Ubuntu? I
> know you can manually create a firewall with IP chains or something,
> but if your running Ubuntu or Linspire, that is probably beyond the
> average users skill level.
IPChains? Either you tried linux a long time ago and were discouraged OR
you have more knowledge then you profess. IPChains was in kernel 2.2,
the newest kernels (2.4) use IPTables. There are very simple graphical
firewall programs for Linux that generate rulesets for you. Both Ubuntu
and Linspire come with a variety of them. I don't expect my
administrators to do IPtables rules by hand without checking the man
page (I frequently have to refer to it myself) so I would never expect a
new or casual user to do that. The graphic tools are very easy.
> And when you run updates, if you get them
> from the community and not the distro vendor, You will be prompted in
> Ubuntu that this update may not be safe because it's from an
> unauthorized source, so theortetically, a bad guy could write some
> small program, and then put out an update that changes it into
If you are running something like RedHat Enterprise Linux, your updates
from from RedHat. Ubuntu updates from from various sources. You can
chose where/when to get your updates from. Yes, someone can infect an
update (just like the squirrelmail incident you mentioned earlier) and
it could spread. Depending on where you get your updates from, this is
more or less of an issue.
> is anybody else worried about this stuff? I am not trying
> to get anyone irked here, but I am interested to see if anyone can
> explain how these threats could be impossible or avoided. I realize
> linux is more secure than windows xp out of the box, (security by
> obscurity) but I can also see how open source is and invitation to
People worry about this stuff all the time. I'm sure I'm not the only
paranoid person on this list. No threat can be made impossible. The fact
that you are doing ANYTHING makes you vulnerable. And there is always
someone out there that wants what you have. This is more a social/human
issue, not really a technical issue. We can do our best to minimize it
(read any basic security manual) but we can never eliminate it.
"Invitation to trouble." Interesting choice of words. You can turn that
around with all kinds of philosphical debates like "Know thy enemy",
"learn from past mistakes", or one of my personal favorites, "Locks only
keep honest people honest." What does all that mean? Nothing really.
People have many many was to reach the same goal, and in the end, the
goal you are reaching is a more secure OS. If security is your major
goal, there are choices you can make to give you a better secure
platform, but the cost is usually too high for most people.
"access all secret files now<cr>"
More information about the Novalug