Linux uncrackable...?

Mon Sep 3 09:42:21 UTC 2012

-----Original Message-----
From: users-bounces at lists.fedoraproject.org [mailto:users-bounces at lists.fedoraproject.org] On Behalf Of jdow
Sent: Monday, September 03, 2012 6:36 AM
To: Community support for Fedora users
Subject: Re: Linux uncrackable...?

On 2012/09/02 20:25, JD wrote:
>
> On 09/02/2012 08:56 PM, Tim wrote:
>> On Sun, 2012-09-02 at 09:46 -0700, jdow wrote:
>>> My take away from this is that absolutely nothing except a totally
>>> disconnected machine in an impenetrable safe is uncrackable, even
>>> Fedora machines. Some form of "AV" tool is called for as well as
>>> routine checks with the various system check utilities. Even that
>>> won't prevent 100% of all attempts from succeeding. But it will help.
>> Nothing is 100% bulletproof, there will always be some weakness.  The
>> current state of play is to try an make sure that /that/ weakness isn't
>> exposed, rather than eliminate all the weaknesses (which isn't really
>> possible).
>>
> Yet, is it not amazing that with so many capable hackers
> in the world poring over the open source software like Linux,
> looking for these weaknesses have not publicized major
> weaknesses that could cripple it - at least I have not been
> jolted by such news in a long time.
> It seems that the sheer size of the source code all of the free
> open source software packages that comprise an installation
> would be a powerful enough reason to make most such hackers
> to grow quickly weary of such endeavor (to expose weaknesses).
>
> Cheers,
>
> JD

Guys, consider something for a moment. There are CERT advisories against
Linux (and most anything else) from time to time. Now, how were these
discovered? Was it experts pouring over the code, was it somebody got
cracked, discovered it, and reported it, or was it somebody noticed some
odd packets and analyzed the vulnerability they were designed to exploit?
Only one of those cases involves a Linux machine that was not cracked.
The rest mean a vulnerability has been found one way or another and
subsequently exploited or at least attempted in the wild.

Deploying more than a minimalist defense gives you a better chance of
not owning the first few systems that get exploited before the hole is
plugged. Even if the chances are one in a million you'll face an exploit
there if every person in Los Angeles owned a Linux machine that means
several people in Los Angeles would suffer a bad case of computer flu.

I have a "thing" about people who say you don't need an AV or other
defense with Linux, "It's safe." That's been a mantra of the know
nothings for nearly 20 years now. I've disagreed with it for nearly 20
years now. So when this juxtaposition of an attempted exploit coupled
with an advertisement on the site from which the attack took place
touting Fedora it sort of amused me leading me to share my amusement
with the list.

(And, as noted, passwords are the easiest hole to exploit on Linux if
the person leaves an SSH port "too open to the world." Thank heavens
for my iptables defensive trick. Only two people have figured out how
they can get more than one shot at logging into my system. And those I
found before they'd had even 100 tries. I locked out their entire
domain with a hard lock instead of the soft lockout that happens
automatically. And I STILL worry. I am paranoid, perhaps. "They"
certainly are out to get me. But it's not personal. They are out
to get anybody they can.)

{^_^}

-----Original Message-----

Isn't it the infamous balance between "safe" and "usable"?
"they" made windows installable for ordinary end-lusers, and applications so they can do funny things in case something goes wrong. And script-kiddies and alike are using all that available power against users.

Until recently, people who were able to do a decent installation of Linux were wise enough to know a thing or two about security, and what to do when you are exposing ports (ssh, mail, sip) to the bad outside world.

Nowadays, you come across distro's (no, I don't name them) that give a you a single-click install.
The fact that you do not see malicious viruses targeted at Linux systems that often give them a false sense of security.

Hw

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.