I really rather like this article, although it is full of hidden assumptions, MovingTheGoalposts™, and irrelevant advice.
The number one Good Thing it points out is “Don’t Be Dumb.” This is not, strictly, functional advice to a Ubuntu user (who, let’s face it, has by definition installed Ubuntu), but it’s better than nothing … nothing being the default security setting for Ubuntu.
The number two Good Thing it points out (which is tangential to security, but excellent in other ways) is:
Back up regularly.
The great thing about Linux is that the Naughty Brigade can only trash your user data and user programs and not the Sacred Kernel In The Pixie Grove. (Except on those infinitessimally noticeable occasions when they invade the Pixie Grove as the Root Of All Evil.) To almost all apologists for Linux security, this does not matter. It’s only user data, innit? What possible security risk could there be in exposing user data (credit card numbers, lists of email/facebook/porn-u-like friends, libellous letters to your boss, medical history, etc) to the outside world? And it doesn’t really matter if the whole /usr/home/eric_the_fruitbat directory gets blown away, because The System Is Intact.
I mean, at least this guy gets it. Mostly.
The rest is quite a jolly read. It basically consists of “Yeah, it’s just as easy to avoid security problems on Windows” (he even includes a link to do so, which I seriously think is admirable), plus a lot of crap about how rwxrwxrwx and sudo is all you would ever need.
I recommend it as an example of somebody who is smart enough to understand that something is horribly wrong, and yet cannot admit that he is not provided with either the tools or the support to deal with something that is horribly wrong, but is doing his best not to allow those obvious facts to stop him from enjoying Ubuntu.
At least, I assume he is enjoying Ubuntu. With all the network ports turned off. And a cryptic eight-character low-entropy UTF-8 password that he can’t remember and which would have no effect on an attack over the network in his “Happy 15 Minutes” sudo session. And not downloading any .deb file without checking the signature, which (as Ian points out) tells you nothing at all about how secure the package is. (It’s practically an invitation to Man-In-The-Middle attacks.) And not letting friends use his computer, lest they mittengruben all over the One True Kernel (Son of Gnu).
I mean, that sounds like a lot of fun.
Happy paranoia, FOSStards!
—————————-
And the really sad thing is that I only noticed this (pretty reasonable, but almost totally useless) post when I checked this
———————————
As a postscript, I used to work for Visa (a trillion dollar a year business). I was an Insider. And, well, what with being a software engineer and all, we swapped stories and tried to imagine how to bust Visa for a few million — purely as an intellectual exercise, you understand. We never quite came up with the “rounding fractions of a penny down” scam, but we came close.
Leveraging this experience, may I point out that a nasty evil attacker of a Linux system doesn’t need to install a rootkit directly?
All this “we don’t care about what happens in user space” nonsense? I sort of lied up there. No sane attacker is going to wipe out your home directory.
What they will do is to insert a whole bunch of invisible config files starting with a dot. Almost as an afterthought, they’ll make tiny alterations to your .bashrc file and your .bashprofile file. Some of these alterations will add aliases (nice things, aliases) to map trivial little commands (well, they’re only two letters) like ls to something else entirely. Which, on Linux, will probably live under /sys/usr/bin, or some such bollocks.
I’m prepared to wait around for this.
We all know that Linux users are inherently smart. So 99% of them will notice these trap-doors before they spring.
1% will be otherwise occupied (I leave this to your imagination). At some point, somebody is going to sudo without the '-’ ... an honest mistake. And then they’re going to ls. And then all Hell breaks loose.
Damn, but that’s SecureByDesign™.
Comments
No comments yet.
You must be signed in to leave comments.