| DistroWatch Weekly
|DistroWatch Weekly, Issue 321, 21 September 2009
Welcome to this year's 38th issue of DistroWatch Weekly! Computer security has been a hot topic of discussion on these pages in recent weeks. As a result, Caitlyn Martin has embarked upon writing a series of articles covering the basics of computer and Internet security, starting today with part one - user authentication. In the news section, the openSUSE user community launches an initiative to build an enterprise-level distribution with long-term security support, Mark Shuttleworth announces the code name for Ubuntu 10.04, Clement Lefebvre reveals some early information about the improvements in Linux Mint 8 "Helena", and OpenBSD delays the planned October release by a month over a CD manufacturing error. Finally, don't miss the New Distributions section which includes some interesting new additions to the waiting list, including a new Slackware-based desktop distribution called Salix OS. Happy reading!
Listen to the Podcast edition of this week's DistroWatch Weekly in OGG (40MB) and MP3 (38MB) formats
Join us at irc.freenode.net #distrowatch
|Feature Story (by Caitlyn Martin)
Linux Security Basics, Part 1: Authentication
There have been a number of discussions, some of them fairly heated, about system security in the comments section of DistroWatch Weekly (DWW) over the last couple of months. Some have even argued against what most would consider basic Linux security. As a result I received a number of requests to write an article covering Linux security basics, complete with references. There are, of course, entire books written on Linux security and as I began writing, it became clear that one article just wouldn't do the subject justice. Consider this week's feature to be a starting point for a small, intermittent series of articles about Linux security.
I have limited the scope of this article and any future DistroWatch features on security to what makes sense to the home or small office user or, in other words, environments with just a handful of systems and users. Most of what follows can be applied to BSD, OpenSolaris, or indeed any UNIX or UNIX-like operating system, though the file names, specific commands and syntax may be somewhat different. To keep things simple I'm going to stick with Linux systems.
Before I get into describing basic Linux authentication, the recent discussions made it abundantly clear that I need to first define what I mean by security. I also have to answer the most basic question which is why we need to bother with security at all. Some DWW readers claim to have all but ignored security without a single problem for many years. Those claims are undoubtedly true. That doesn't mean the potential for real problems isn't present. Kurt Seifried, in his Linux Administrator's Security Guide, writes: "You only need to make one mistake or leave one flaw available for an attacker to get in. This, of course, means that most sites will eventually be broken into." He adds: "All technical security measures will eventually fail or be vulnerable to an attacker. This is why you must have multiple layers of protection."
The book, Practical UNIX and Internet Security, gives a very simple, straightforward definition of security: "A computer is secure if you can depend on it and its software to behave as you expect." There are many more technical and detailed definitions out there but that one line really does sum it up. If someone makes uninvited use of your system(s) for their own purposes without your consent, that definition is no longer met. Uninvited use can be by a friend or family member who means no harm, a co-worker, or a stranger halfway around the world.
When I talk about security, one of the questions I am frequently asked is why anyone would want to target a home or small business system. Last week Linux Pro Magazine Online published a report describing some 100 poorly secured Linux servers in Russia used as part of a botnet to distribute malware to Windows systems. Keep in mind that many home desktop systems are more powerful than servers of just a few years ago. When you combine the horsepower in today's hardware with the persistent high speed broadband connections many of us now enjoy and you can see how almost any system can be an inviting target.
Accounts and passwords
The first and simplest line of defense is a password. In his book, Securing & Optimizing Linux: The Ultimate Solution, Gerhard Mourani writes: "Many people keep their valuable information and files on a computer, and the only thing preventing others from seeing it is the eight-character string called a password. An unbreakable password, contrary to popular belief, does not exist. Given time and resources all passwords can be guessed either by social engineering or brute force." Some Linux users go even farther, running distributions which have either no password or a well-known and published password on a privileged or root account. This is tantamount to putting out a welcome mat for anyone and everyone who wishes to access your system provided they have physical access. A vulnerability in a service which communicates across the Internet can effectively leave such a system open to literally anyone who is aware of both the flaw and the password. Kurt Seifried, writing about insecure defaults of all sorts, not just passwords, states: "This is one of the problems that have caused no end of security problems since day one."
Mourani lists four basic rules for a good password. Three of them do apply even to home and SOHO systems:
Every major Linux distribution has tools to enforce strong passwords and password aging. Many users don't use them because a long, non-trivial password which changes periodically is inconvenient. Security, by nature, is inconvenient. It is up to each of us to decide how much inconvenience is worth putting up with to have a secure system.
- They should be at least six characters in length, preferably eight characters, with at least one numeral and one special character.
- They must not be trivial; a trivial password is one that is easy to guess and is usually based on the user's name, family, occupation, or some other personal characteristic.
- They should have an aging period, requiring a new password to be chosen within a specific time frame.
The root account (a.k.a the superuser account) is the one account on each and every *nix system which generally has absolutely no restrictions placed on it. Root can do anything. For this reason it is generally recommended to not login and run as root unless it's absolutely necessary.
The first person not running as root protects you from is yourself. I did six weeks of work for a local bank prior to a merger. One of their professional system administrators, a man with years of experience, wrote a script to clean up old files on a server. For obvious reasons it had to run as root. He made a minor syntax error in the script which caused it to run from the root file system rather than one of the file systems where it was supposed to run. To make matters worse he ignored the proper change control procedures because he thought this was trivial maintenance. The script ran overnight and dutifully began removing large parts of the operating system that were older that the date set in his script, effectively wiping out a production server. The point of the story is that even seasoned professionals make mistakes, sometimes with disastrous consequences. If you're running as root you can easily, accidentally do damage to your system without warning. This is why some Linux distributions, e.g. Ubuntu, don't permit root logins by default.
It should go without saying that strong password rules should be applied to the root account first and foremost. If remote root access is permitted, either by design or because of a security vulnerability, a strong password may delay an intrusion long enough to be detected and prevented. There have also been a number of Internet applications, including web browsers, which have had vulnerabilities that effectively allow remote access as the user running the application. If that user is root these security flaws become far more dangerous. This is why some Linux applications have very tersely worded warnings about running them as root.
Every Linux distribution, even the most minimal, has tools to allow the temporary granting of root privileges to an ordinary user. The most common are su, short for "switch user", and sudo, short for "superuser do". The sudo command offers the ability to log what you are doing as root. It also provides the simplest means for doling out a subset of root privileges to someone who needs to do specific tasks which require root privileges but does not need full and absolute control of a system, making it ideal for small business networks. A detailed HOWTO covering both su and sudo will be coming to DWW soon.
Basic Linux authentication: how it works
On any modern Linux system there are three files that provide the most basic level of authentication for the local system:
Every user on the system has a unique user ID (UID), a number, associated with their username. (NOTE: It is possible to assign two usernames to a single UID, effectively creating a single account with two names which can be used to login.) Each user belongs to at least one group of users and each group has a unique group ID (GID) associated with the group name.
The /etc/passwd file is a plain text file. It can be edited with any text editor run as root. It contains seven fields for each user, separated by colons:
The default shell is particularly important for system accounts. Many system tools and some applications require their own user account to run properly. However, you wouldn't want someone to actually be able to login as that task. In this case a dummy shell, typically /bin/false, is used. If there is no valid shell the user can't login.
- the username
- a lowercase x (usually)
- the user ID (UID)
- the user's default group
- the user's full name and, optionally, additional plain text info about the user
- the user's home directory
- the user's default shell
In the dim and distant past the /etc/passwd file also contained the users' passwords in plain text. As networks grew it became clear that some sort of secure way of storing passwords that wasn't human readable was an absolute must and, as usual, it was a security incident that convinced someone of the need. In 1987 Julianne Haugh experienced a break-in and wrote the original Shadow Password Suite, which originally contained the login, passwd, and su commands. Shadow passwords have been included in Linux since 1992 and the suite has grown to 30 commands.
The basic concept of shadowing is easy to understand. I'll quote Seifried again: "For many years the solution has been quite simple and effective, simply hash the passwords, and store the hash, when a user needs to authenticate take the password they enter it, hash it, and if it matches then it was obviously the same password." Over time the computing power grew and it became easier to crack even hashed passwords so Linux and other UNIX systems moved to stronger encryption systems, most commonly MD5. In addition to the username and hashed password, /etc/shadow also contains password aging information.
Using chage to setup password aging
All the major Linux distributions have graphical tools which front end the Shadow Password Suite. However, if you're running a more minimal distribution or if you'd like to manage password aging from the command line on an existing account, the easiest way to do it is with the chage command. At its simplest you can set a period of time after which the password must be changed. For example, if I want to force a user (yes, even myself) to change their password every 90 days I can do it with the command:
chage -m 90 user
where "user" is replaced with the actual user name. It's a lot friendlier to also set a warning with the -W option. Let's say I wanted a 5-day warning before the password actually expires. The command would then be:
chage -m 90 -W 5 user
Any user can check when their password expires with the command:
chage -l user
Pluggable Authentication Modules (PAM)
PAM is something that mostly applies to larger networks but since it is enabled by default as part of the authentication process on many major Linux distributions, it deserves a mention here. On larger networks there are a number of systems (NIS, NIS+ and LDAP, for example) that are used to allow a user to use one account to log onto many systems. There are also more advanced security systems which allow passwords to be changed minute by minute. In many enterprise networks someone who needs access to secure systems is issued a key fob with a small LCD or LED screen which displays the password of the moment. What PAM does is allow administrators to set up rules for how each type of authentication is handled and allows multiple authentication methods to be used and managed in one place. An example of a rule may be one which allows a class of users to only login during certain hours.
OK, so what does this have to do with a home user? Well, if you're running Debian GNU/Linux, Red Hat/Fedora, SUSE Linux Enterprise or many of the distros based on one of those three then PAM is enabled by default on your system and it certainly is possible for you to use it to setup rules for given systems in even a small network. Slackware, on the other hand, doesn't include PAM at all though some Slackware derivatives, notably Zenwalk Linux, do. A slightly dated PAM manual from Red Hat can be found here.
One good use for PAM on home or small business networks is strong password enforcement. PAM includes a module which uses CrackLib to determine if a password is "strong enough". What "strong enough" means on your system(s) is entirely configurable. Some distributions, including Red Hat Enterprise Linux and its clones, including Oracle Enterprise Linux, CentOS and Scientific Linux, enable the pam-cracklib module by default.
In upcoming parts of this series we'll look at basic steps you can take to keep your server secure by limiting which services are running and access to services that need to run. We'll look at network ports, how to tell which are open and which are closed, and how to close ones which aren't needed. We'll look at Linux file system security, covering everything from permissions to encryption. We'll look at the firewall included in the Linux kernel and how to use it and, as promised, we'll cover how to dole out root privileges safely. Finally, we'll end with a primer on system logs and how to determine if you've had an unwanted visitor.
|Miscellaneous News (by Chris Smart)
openSUSE community ponders a CentOS-like enterprise distribution, Ubuntu announces code name for 10.04, Linux Mint hints at improvements in "Helena", OpenBSD delays release over CD manufacturing fault
Leading the news this week is a story about plans among the community to create a long-term supported variant of openSUSE, specifically with servers in mind. Recently Novell announced that it has shortened the support life of the distro further from two years down to just eighteen months. This might help to ease the workload for Novell employees but it means more work for the end users who will now need to upgrade more often. Commercial offerings from the company are, on the other hand, maintained and supported for five to seven years, but will small businesses switch from the free openSUSE to costly SLES with support contracts? Boyd Lynn Gerber doesn't necessary think so and suggested a number of options to combat this problem. Two such options would be to extend support for openSUSE products, in effect creating an openSUSE LTS edition, or a new fork entirely based off the SLES source code à la, openSLES. The latter idea would be similar to CentOS, which builds a new binary distro from the source code of Red Hat Enterprise Linux. Would such a distro be of interest to the wider community and would it hurt or hinder Novell?
Elsewhere in openSUSE land, TuxRadar has published an interview with the project's Program Manager, Andreas Jaegar. The team discusses the distro's new eight month release cycle and asks Jaegar what his favourite features are in the upcoming 11.2 release. A web interface for YaST is one such feature which might see an introduction shortly. He writes: "WebYAST is AJAXy. It's still in its infancy... We might use one or two of its modules in 11.2." TuxRadar also asked whether we might see Con Kolivas' new scheduler in openSUSE, to which Jaegar replied: "Instead of a subjective feeling that it's better, get some numbers to see. And if it's good, we have the openSUSE Build Service - anyone can take our kernel and apply a patch on top of it. But at the moment it's too experimental and unknown." He also discusses the move to KDE as the default desktop, remix versions of the distro thanks to SUSE Studio, working more closely with Red Hat to create more portable RPM files, and more.
* * * * *
It's time again to find out what release of Ubuntu +1 (version 10.04), will be called. According to this blog post by Lisa Hoover, Ubuntu founder Mark Shuttleworth made the announcement at the Atlanta Linux Fest, revealing that the code name of Ubuntu 10.04 will be "Lucid Lynx" (here is the video announcing the new name). The upcoming 9.10 release will be, of course, "Karmic Koala", which builds further on the distro's technology, especially in the cloud. The first version for 2010 will be a long-term support (LTS) release, which are generally less cutting-edge. It's good timing because what Ubuntu needs now is more polish. The One Hundred Paper Cuts project is doing a great job sorting out these small niggling issues, but to compete with Apple's OS X for consumer's money (one of Mark Shuttleworth's primary goals for the distro) still needs work. The release therefore, is aptly named, as it will hopefully indeed be lucid - easily understood and completely intelligible. If Canonical can get it right, it might be the final push companies need to ditch Windows and put Ubuntu on their mainstream consumer products.
* * * * *
The founder of Linux Mint, Clement Lefebvre, has posted an update on what he's been working on recently. He walks through some changes for the upcoming "Helena release", including the renaming of various Mint tools to more useful names, such as "Software Manager" over "mintInstall." He also cites improvements to the installation and removing of packages: "When an application is listed, mintInstall now queries APT to find out whether it's installed on the system and what versions are installed and/or available. This process is almost immediate and doesn't impact the responsiveness. This basically means that, looking at an application, you'll be able to see if it's already installed or not, you'll be able to see its version and you'll be able to install it but also to remove it from mintInstall." The refresh button is also being removed in order to ease the load on Linux Mint servers and some improvements to the interface are coming, including optimisation for the smaller screen size on netbooks.
* * * * *
Finally, it looks like the next release of OpenBSD will be delayed by one month. Theo de Raadt, the project's founder and lead developer, says that the reason for the delay is a problem with CD manufacturing at a third-party manufacturing facility: "They have had serious CD production problems. Because everything in CD manufacturing is so ridiculously outsourced, all I know is that the plant which was used this time (Q Media Services Corporation in Vancouver) has made about six faulty CD pressings in a row." Hopefully there will not be any further delays as the tree was frozen rather early and large numbers of OpenBSD fans have pre-ordered discs. It can be painful waiting for the new version of your favourite operating system to arrive, but no doubt it is better to receive belated media which work, rather than some which are timely but faulty!
|Released Last Week
François Dupoux has released SystemRescueCd 1.3.0, a Gentoo-based live CD designed for administering or repairing an operating system and data after a crash. What's new in version 1.3.0? "Updated the standard kernels to Linux kernel 2.6.31; updated FSArchiver to 0.5.9 (better NTFS support); updated NTFS-3G to version 2009.4.4 AR17 (NTFS-3G advanced release); updated e2fsprogs to 1.41.9 (ext2, ext3, ext4 file system tools); Linux kernel 2.6.31 and btrfs-progs 0.19 are using a new btrfs format; added gdisk 0.3.1 (gdisk is a GPT partition table manipulator); updated the Xfce desktop environment to version 4.6.1; updated Python to version 2.6.2; updated Mozilla Firefox to version 3.5.2." Read the complete changelog for further details.
Oracle Enterprise Linux 5 Update 4
Oracle has announced the release of Oracle Enterprise Linux 5 Update 4, an enterprise-level distribution based on Red Hat Enterprise Linux 5.4: "Oracle is pleased to announce the general availability of Enterprise Linux Release 5 Update 4 for x86 (32-bit) and x86_64 (64-bit) architectures. This update includes the following kernel/driver changes: bug fixes added by Oracle - check to see if hypervisor supports memory reservation change, add Entropy support to IGB, add Xen pv/bonding netconsole support, shrink zone patch, fix aacraid not to reset during kexec, fix failure of file creation from hpux client; fixes and additions from the upstream distribution provider - a new tunable parameter has been added to the kernel, allowing system administrators to change the maximum number of modified pages kupdate writes to disk...." Read the rest of the release announcement for a complete technical changelog.
Muayyad Al-Sadi has announced the release of Ojuba 3, a Fedora-based distribution with Islamic utilities and support for Arabic: "We are proud to announce the release of Ojuba 3. This release comes in two forms: a live DVD/USB and an installation DVD which can be used to upgrade from a previous release. The installation DVD contains packages and serves as a repository for offline installation of packages. It includes GNOME 2.26, KDE 4.3.1, Xfce 4.6.1, LXDE. Features: Ojuba control center, original artwork, Quran browser and Thwab library, many Arabic and Islamic books like Sunan and classical dictionaries, prayer time reminder, Monajat supplications, Hijri calendar, Sun JRE, multimedia support, mlterm with support for Arabic. This release is based on Fedora 11 and it includes fast boot, ext4 support, fingerprint login...." Here is the full release announcement with several screenshots.
Ojuba 3 - a Fedora-based distribution with complete support for Arabic
(full image size: 708kB, screen resolution 1280x800 pixels)
DragonFly BSD 2.4
Matthew Dillon has announced the release of DragonFly BSD 2.4, a general-purpose operating system originally forked from FreeBSD 4.x: "The DragonFly 2.4 release is here! Three release options are now available: a bare-bones CD image, a DVD image which includes a fully operational X environment, and a bare-bones bootable USB disk-key image. In addition we will for the first time be shipping a 64-bit ISO image. 64-bit support is stable but there will only be limited 'pkgsrc' support in this release. DragonFly BSD 2.4 is a bigger release than normal. The single most invasive change is the introduction of DEVFS. The /dev file system is now mounted by the kernel after it mounts the root file system. All major and minor numbers have changed and the old /dev is no longer meaningful." Read the detailed release announcement for a complete list of changes and upgrade notes.
Puppy Linux 4.3
Barry Kauler has announced the release of Puppy Linux 4.3: "Puppy Linux version 4.3 released. Highlights: Linux kernel 22.214.171.124 configured for SMP (multi-processor) systems, with support for the ext4 file system and patched for Aufs2; Internet by dial-up - the kernel has drivers for many modems, including Agere, ESS, Lucent, Conexant, SmartLink, PCTEL and Intel chipsets; Pstreamvid - a great GUI for playing Internet TV; JWM theme maker; Psync - synchronises the clock to an Internet time server; SQLiteManager - a front-end for SQLite and an add-on to SeaMonkey; Hiawatha - a very small and extremely secure web server to serve CUPS, PPLOG and QUISP pages; a screenshot utility based on mtPaint, but with a very basic GUI; Pmirrorget for downloading a complete web site...." Read the detailed release announcement for a complete list of changes and new features.
Puppy Linux 4.3 - a major update of the popular mini-distribution
(full image size: 680kB, screen resolution 1280x1024 pixels)
Parted Magic 4.5
Patrick Verner has released Parted Magic 4.5, a small Linux live CD designed primarily as a hard disk partitioning utility: "This new version of Parted Magic updates the graphical server X.Org, expands networking, improves RAM usage, and fixes some bugs. To combat some of the problems associated with the newer versions of X.Org and Intel chipsets, Parted Magic offers driver versions intel-2.4.1, intel-2.5.1, intel-2.6.3, intel-2.7.1 as boot options. There is a new PPPoE option added to the 'Start Network' program. RAM usage has been significantly reduced for the 'Default settings (Runs from RAM)' and 'Live with low RAM settings' boot options. The default option only requires 192 MB, from 256 MB in version 4.4, to completely run Parted Magic from RAM. The biggest gain was with the low RAM option because that now only requires 48 MB to run." Visit the project's home page to read the release announcement.
* * * * *
Development, unannounced and minor bug-fix releases
|Upcoming Releases and Announcements
Summary of expected upcoming releases
New distributions added to database
- eBox Platform. eBox Platform is a unified network server that offers easy and efficient computer network administration for small and medium-size businesses. It can act as a gateway, an infrastructure manager, a unified threat manager, an office server, a unified communication server or a combination of them. These functionalities are tightly integrated, automating most tasks, avoiding mistakes and saving time for system administrators. eBox Platform is released under the GNU General Public License (GPL) and runs on top of Ubuntu.
* * * * *
New distributions added to waiting list
* * * * *
DistroWatch database summary
* * * * *
And this concludes the latest issue of DistroWatch Weekly. The next instalment will be published on Monday, 28 September 2009.
Caitlyn Martin, Chris Smart and Ladislav Bodnar
|Linux Foundation Training
|Reader Comments • Jump to last comment
1 • No subject (by forest on 2009-09-21 08:03:52 GMT from United Kingdom) |
Probably one of many but thanks very, very much, CM, for the starter article on security...no doubt I will have to re-read a few times before it sinks in tho'. And thanks also for the pointers to the books.
2 • Single Sign On authentication with Windows (by Folle on 2009-09-21 08:31:05 GMT from Philippines)
One thing I'd love to see tackled (and created as a distribution?) is Single Sign On, perhaps based on OpenLDAP, and where the entire distribution bases its authentication against it. Something that's easy to setup and that could maybe be integrated with Windows as well (using pGina).
Single Sign On is one of the pleasures of Active Directory, and one I'd love to see replaced by a Linux solution.
3 • No subject (by Felix Pleşoianu on 2009-09-21 08:38:06 GMT from Romania)
Always nice to read something different on Distrowatch Weekly. Good issue! Can't wait to read more articles on security.
4 • Linux Security Basics (by AU on 2009-09-21 08:46:47 GMT from Germany)
Good to see an article about basic security. Security is important.
Unfortunatly this article is not very accurate. I would not trust the information in it, but only use it as a starting point for further reading.
"A computer is secure if you can depend on it and its software to behave as you expect."
That definition is ridiculous. A rootkit or keylogger do not make a computer or its software behave any different than expected.
"If someone makes uninvited use of your system(s) for their own purposes without your consent, that definition is no longer met."
This makes no sense at all.
"The most common are su, short for superuser,"
As far as I know su is short for 'substitute user ID', not 'superuser'. Su can be used to change to other users than root.
"In the dim and distant past the /etc/passwd file also contained the users' passwords in plain text. [...] Shadow passwords have been included in Linux since 1992 and the suite has grown to 30 commands."
I don't know if this is true, but there were password hashes in /etc/passwd before they were moved to /etc/shadow. Maybe you should distinguish between the two concepts (using hashes and restricting access to the passwords/hashes).
"Over time the computing power grew and it became easier to crack even hashed passwords so Linux and other UNIX systems moved to stronger encryption systems, most commonly MD5."
MD5 is not an encryption system. It is a cryptographic hash function.
Anyway, I am looking forward to the next security acticle.
5 • ChromeOS (by afonic on 2009-09-21 09:01:41 GMT from Greece)
I think it should be noted that Chrome OS mentioned in DWW has nothing to do with the upcoming Google's operating system and violates Google's copyrights pretty badly.
6 • No subject (by forest on 2009-09-21 09:23:35 GMT from United Kingdom)
...I'm confused already...LOL. Ok AU, perhaps YOU might care to shed some light on security issues...what text books would YOU suggest? This is not a dig btw, I find there are so many tomes on Linux it's tricky to know which is worth buying/reading.
[Thinking aloud...I sincerely hope we are not going to get a he said/she said argument going...]
7 • Re #2: Single Sign On (by vincent on 2009-09-21 09:26:46 GMT from Belgium)
Agree fullheartedly. It is rather difficult to setup, not because of the lack of documentation, but because of the level of expertise one has to have before it can be set up and then you still have to configure it... If a distribution would focus on SSO, than I think it would be interesting for home networks also, and not only for corporate networks.
8 • Security (by AU on 2009-09-21 10:18:31 GMT from Germany)
Oh, I am not a security expert. I did not read the linked books and guides, so I don't know if they are good or bad.
You do not really need to read a book, you need to know how certain things work. You can read the man pages and/or google for information if you encounter some mechanism you do not understand. The more you know about the system, the better you can judge its security.
For now you need to understand that Linux uses a system with 'users' and 'groups'. Access to files and processes is based on this. A list of users on the system is in the file /etc/passwd, a list of groups is in /etc/group and the passwords (hash values) are in /etc/shadow, which is only accessible to the root user.
If you are interested you can read about hashes here: http://en.wikipedia.org/wiki/Cryptographic_hash_function
9 • enforced password aging (by phoenix00 on 2009-09-21 10:29:06 GMT from Canada)
If you're in a multiuser environment it's usually not a good idea to make your users change passwords regularly -- they usually change it to something really "dumb" and guessable, usually out of frustration!
Best policy to follow (I know, it's hard....) is to set stringent password rules (as noted in the article), then force your users to remember it.
Been a DWW reader for a looong time. Keep up the good work!
10 • @ #4 (by Travis B. on 2009-09-21 10:35:59 GMT from United States)
#4, I thought the exact same thing (well, I just thought 'switch user', but semantics, semantics!), and went on investigating the answer. Wikipedia, giving me the disambiguation page of 'Su,' provided me with "superuser," however Su_(unix) provides substitute/switch user. I continued onto the coreutils documentation, and they list no definition for su. I guess it's up to interpretation, like the /etc directory.
@ #6 You can't be more true. I never know what is worth buying. So far I've made pretty good judgments, but I spend a few hours in a Barnes N' Nobles to be able to choose which is the best for a specific topic I'm looking for. Recommendations would be much easier. It's just too hard to tell what's going to be a good enough book for *NIX-y stuff.
11 • Thanks! (by Travis B on 2009-09-21 10:37:44 GMT from United States)
Sorry to post twice, meant to say in the first one-- thanks for a really good article! Security is always an interesting topic, albeit being important.
Great articles, I always love what you come up with each week-- it makes Mondays just a little easier to survive.
12 • No subject (by forest on 2009-09-21 11:24:46 GMT from United Kingdom)
Thanks for the heads up ref "hashes". I find the more you "think" you know the more you find there is rather more to learn...(in any walk of life/hobby, LOL).
Well, CM did a sort of micro bibliography (thanks). I have a couple of Keir Thomas's books but even tho' he is not a bad author in the least I find there is a huge amount of cross referencing to do and I find it so/too easy to get engrossed/sidetracked in some bit of arcania which had nothing to do with one's original research (blush).
Continuing with the latest Puppy offering from last week...having tried it out on my faster m/c, 3GHz, 2GB ram, performance was more than adequate, and apropos nothing at all, commercial DVDs just worked...however, I elected NOT to get online, just in case...
13 • openSLES (by AU on 2009-09-21 11:37:10 GMT from Germany)
Great to see that some people are trying to create a free SUSE enterprise OS. I really hope it will be a CentOS-equivalent for SUSE Linux Enterprise (openSLE). It certainly looks like a better idea than openSUSE LTS: less work and more stability and trust.
@Travis B (#10):
Interesting. Maybe we need a historian to find out. :)
Well, after searching a bit I found that su was originally supposed to mean super-user: http://roesler-ac.de/wolfram/acro/credits.htm#2
The next question is if it was 'officially' redefined when the new functions were added.
14 • On the use of sudo for the first user (by Mandriveiro on 2009-09-21 11:50:29 GMT from Spain)
Many distros use sudo instead of setting up a password for the root account.
I agree that the even the most experienced professionals make mistakes, but the very same mistake will be done by using a root account or by granting superuser powers via sudo. Sorry, but your example to justify Ubuntu's policy is not convincing.
In my humble opinion, it is a security problem to let the first user use the command sudo to let the user grant superuser powers with the user's password, instead of using a different password (i.e. root password). For somebody at home, it won't be that dangerous, but for a server, that's another ball game!
15 • No subject (by BSD User at 2009-09-21 11:51:29 GMT from United States)
Very helpful site IMO.
16 • RE: 14 - Right string, wrong yo-yo. (by Eddie Wilson on 2009-09-21 12:01:00 GMT from United States)
I believe that the article was focusing on home use or very small business use so there will be no problem with sudo. If a person is worried, it can be changed. I have used distros that use su and sudo. I prefer sudo. That's just my opinion tho. :)
17 • forgot (by BSD User on 2009-09-21 12:07:34 GMT from United States)
I forgot for one link:
18 • Re: #9 passwords (by Andy Axnot on 2009-09-21 12:48:07 GMT from United States)
The idea of passwords is a great one, but who can remember/manage them all? I have dozens of password protected accounts at home and at work. It's just too much for most people when they have to change the passwords on a regular basis.
One place I worked recently (not IT) nine out of ten computers had Post-It notes with the user's password stuck on the monitor. And we all fairly quickly figured out just how much "change" to the password was needed at the required time limit for the password. And, to human eyes, this month's password looked a lot like last month's.
19 • Security (by Jesse on 2009-09-21 12:57:08 GMT from Anonymous Proxy)
With hot topics like security, there will always be differing points of opinion and nitpicking. The little things like the exact meaning of "su" or the difference between an encrypted password and a hash, don't really mean anything to most end users. I thought the article was well done and offers some good, solid tips.
I'd like to add three things.
1. If a person have physical access to the machine, they can do just about anything. If you don't trust people who can physically touch your PC, I recommend looking at disk encryption and off-site backups.
2. Long passwords can be a pain. Some places use pass phrases to make this easier. A pass phrase is really just a long password. Something like
It's long, complex and easy to remember.
3. Services such as OpenSSH tend to be allow remote root login. This should be disabled. On most distros, this can be done by editting /etc/ssh/sshd_config and changing PermitRootLogin from "yes" to "no".
20 • Security definition and su (by AU on 2009-09-21 13:12:39 GMT from Germany)
Since I did not like the definition for security, maybe I should give an alternative:
I would define computer security as 'making sure that an attacker cannot access stuff he is not allowed to access (think stealing information/data, using resources etc.) and making sure that an attacker cannot break what he is not allowed to break (think deleting data, DOS attack)'.
@Travis B (#10):
Looks like you were right after all! The source file http://svn.debian.org/viewsvn/pkg-shadow/upstream/tags/126.96.36.199/src/su.c?revision=3046&view=markup contains the following comment:
* su - switch user id
* su changes the user's ids to the values for the specified user. if
* no new user name is specified, "root" or UID 0 is used by default.
* Any additional arguments are passed to the user's shell. In
* particular, the argument "-c" will cause the next argument to be
* interpreted as a command by the common shell programs.
So nowadays su means 'switch user id', at least for the su in the Shadow Password Suite that Caitlyn mentioned.
21 • A minor issue in Security Basics (by RealSlacker (C) on 2009-09-21 13:24:22 GMT from Russian Federation)
The article reads:
Any user can check when their password expires with the command:
This seems to be slightly wrong: according to `man chage', `chage' _always_ needs `user'. Thus, a proper way of running this command would be `chage -l user'. Note an ordinary user will only get a meaningful answer in case `chage' is set suid root.
22 • The reason I have not used BSD (by Eternally Noobish on 2009-09-21 13:59:56 GMT from United States)
Every time I've tried to install a BSD based distro it always requests the other disk to install the rest of the system. I then look for this mysterious disk but it doesn't seem to be available. What caused them to use a devil as a mascot anyway?
23 • Re:22 (by BSD User on 2009-09-21 14:15:37 GMT from United States)
Maybe the above link will help you.
24 • Passwords (by Albert Hall on 2009-09-21 14:22:35 GMT from United States)
With the technology out now passwords will soon be a thing of the past. Biometrics has advanced to the point where fingerprint scanners are quickly becoming the norm. The password system has never been a good system. The reason for this is that the only people who care about making complex passwords and changing them on a timely basis are sys admins and half (or more) of them don't do it.
25 • Security (by Supernatendo on 2009-09-21 14:57:42 GMT from United States)
This is exactly why I switched from running puppy on my 233MHz AMD K6 with 98MB RAM and a 3GB HDD to running VectorLinux.
I mean come on! Puppy and other small distros have no excuse to be running as root IMO. This isn't win98 people, very rarely will you actually NEED root access...
26 • Security (by AU on 2009-09-21 14:58:06 GMT from Germany)
"With hot topics like security, there will always be differing points of opinion and nitpicking. The little things like the exact meaning of "su" or the difference between an encrypted password and a hash, don't really mean anything to most end users."
If users do not care about it then the article should not mention it. If the author decides to mention it then the author should make sure the information is accurate. As it stands Caitlyn is providing misinformation.
By the way, I consider the difference between encryption and hashing quite important.
Maybe you are trying to be polite. I prefer to be honest. The article is vague, confusing and although it is limited in scope it contains a number of inaccuracies. Not a good guide to security. However, security is a good topic and the article serves its purpose as a starting point for some discussion.
@Albert Hall (#24):
Fingerprints have their own problems. People tend to leave behind their fingerprints everywhere they go. This makes it possible for an attacker to use a forged fingerprint.
27 • @4 (by Patrick on 2009-09-21 15:30:13 GMT from United States)
"A computer is secure if you can depend on it and its software to behave as you expect."
That definition is ridiculous. A rootkit or keylogger do not make a computer or its software behave any different than expected.
They don't? I sure don't expect my computer to be logging my key presses and send them to someone, or allow an unknown person to be able to log in to my computer. Do you?
28 • Re #4: A refutation (by Pearson on 2009-09-21 15:45:13 GMT from United States)
You claim that Ms. Martin's article is "not very accurate." And you point out inaccuracies that really have nothing to do with the intent of the article. A few minor, tangential, "inaccuracies" is not enough to title the article "not very accurate." You do her a disservice.
The definition of security that Ms. Martin uses, quoted from a technical publication, serves as a reasonable layman's definition. I don't believe she intended it to be precise, based on her mention of many more technical and detailed definitions. It becomes especially reasonable after her elaboration of "uninvited users".
Her definition of 'su' may be inaccurate (sources apparently differ), but that is really tangential to the article. To me, it's not different than mis-typing someone's name.
"Cryptographic hash system" vs. "Encryption": to me, the therms are highly related. I'm sure that there's a difference, but again, to the layman that difference is not relevant. As far as I am concerned, the "cryptographic hash" serves as a way to identify a password securely which sounds a lot like "encryption."
I won't argue the accuracy of the issues which you point out - I don't know enough to do so. I will argue against your statement that those inaccuracies make the article "not vary accurate."
Pardon me if I come across too strong, but I get upset when I see an article picked to pieces, in a non-constructive manner, over relatively minor issues.
29 • No misinformation in the article (by Caitlyn Martin on 2009-09-21 15:53:48 GMT from United States)
AU: There is no misinformation in the article. In some cases you disagree and I can accept that. However, I can provide sources to back up everything you claim is wrong.
The security definition came from one of the classic UNIX security books: Practical UNIX and Internet Security, Second Edition. By Simson Garfinkel, Gene Spafford. Publisher: O'Reilly Media, 1996. The expertise of the authors is not in question. As I noted in the article I could have provided a more detailed technical description but I believe this covers it. In the examples you give, for example a rootkit, your system is no longer providing the controls you expect and has handed control off to someone else. It's hardly behaving as expected as you contend at that point. Just because it isn't necessarily obvious to the user that the system has been compromised doesn't mean that the definition is invalid. FWIW, Kurt Seifried lists that definition second among the list of many definitions he uses.
Your second item in dispute is also incorrect. The original implementation of passwd in the 1970s was in plain text. You are correct that hashed passwords in /etc/passwd was an interim step. I could have given a more detailed history but to claim that my information in incorrect is simply false. I also felt that going on endlessly about the evolution which led to shadowing was not the best use of column space. However, you are correct that the point of the /etc/shadow file (or /etc/master.password file on a BSD system) is to place hashes in a non-world readable file.
As noted by others I can find different definitions of su (what it's called) in different sources but not different definitions of what it does. You are spillting hairs here.
The only point you make that has any validity at all is the fact that I could have and probably should have been more precise in my description of MD5. It is a stronger cryptogtaphic hash than what was previously used. Having said that, hashing is, in itself, a form of encryption. However, you are correct that it is not an encryption system in and of itself.
I agree with the characterization of your arguments as semantics. If you claim I am providing misinformation you are being neither polite nor honest.
30 • Correction (by Kenji on 2009-09-21 16:00:03 GMT from United States)
"The most common are su, short for superuser, and sudo, short for superuser do."
the 'su' command is short for 'switch user' or 'substitute user'.
'su' by itself defaults to root but you can switch users with 'su user_name'.
31 • #9, 19: Password aging, pyhsical access, remote root logins (by Caitlyn Martin on 2009-09-21 16:11:07 GMT from United States)
#9: @phoenix00: Password aging is universally considered to be best practice among security professionals. Forcing someone to change their password every 90 or 180 days does not mean people will choose "dumb" passwords. If you use CrackLib, generally implemented through PAM, as I describe in the article the system effectively prevents "dumb" passwords. Typical rules include no dictionary words, no proper common names, no reusing of recent passwords, minimum of 6 characters, must use a number and/or a special character.
FWIW, I expire passwords at 120 days on my own systems which means I am now on my third set of passwords this year. All are strong passwords, 8-10 characters long. It takes me maybe a day to memorize them.
As I said in the article security is never convenient. It is, however, necessary.
#19: @Jesse: There are steps you can take to make things difficult for someone even if they have physical access like encrypted and password protected file systems, password protecting the BIOS, password protected the boot manager. However, ultimately, you are correct that if someone can get at your system physically they can, sooner or later, do whatever they want. The main concern of the article and of future articles is security across a network. It doesn't matter if the network is a LAN, a WAN, wired, wireless, or the internet. There are steps you can take which help with all of the above.
Most distributions enable remote root logins via SSH by default. A future article will cover using SSH, including scp and sftp, in place of insecure communications protocols like telnet, ftp, and the old Berkeley r-tools. Including a basic primer on SSH configuration was already something I had in mind.
32 • #21: chage -l user (by Caitlyn Maritn on 2009-09-21 16:15:59 GMT from United States)
#21: @RealSlacker, you have found a real error in my article, one I should have caught while proofreading. Hopefully Ladislav will read this and correct the article.
Yes, indeed, the correct syntax for checking your password aging is:
chage -l user
where you substitute your actual user name for "user". Thanks for the correction.
33 • Physical access (by Jesse on 2009-09-21 16:29:15 GMT from Canada)
Caitlyn: I think you and I are in agreement about things like password protecting the boot loader and BIOS, along with disk encryption, if physical access is a concern. If you have time, perhaps you could do a feature on locking down a PC to prevent a local take-over. A lot of people worry about their kids/parents/lovers getting into private documents and a quick tutorial on the subject would be helpful.
There's a good example in today's article about the danger of using the root account, even in the hands of an expert. A year or two back, I was cleaning out some old back-up files to free disk space. I was logged in as root and was in a folder named, I think, /mnt/backup/july/
I was going to remove this old backup of the home folder and mistakenly typed
rm -rf /home
When I should have typed
rm -rf home (notice the lack fo leading slash character)
I spent the rest of the week fixing things, apologizing to people, putting together files from recent backups and generally feeling like an idiot.
34 • Security yet again (by Xtyn on 2009-09-21 16:32:43 GMT from Romania)
Incredible article, it was so entertaining, I can hardly wait until the next one... (not)
Leaving the joke aside, in a world where desktops are dominated by windblows and most people are using it with administrator rights, I think you're making too much fuss about this.
What did Linus Torvalds say about security obsessed people?
Oh, yeah, that they are "a bunch of masturbating monkeys".
Have a nice week. I'm still waiting to get hacked.
35 • Ref#5 Chrome OS vs Google OS (by VernDog on 2009-09-21 16:45:43 GMT from United States)
"I think it should be noted that Chrome OS mentioned in DWW has nothing to do with the upcoming Google's operating system and violates Google's copyrights pretty badly."
Wow. I didn't realize that. Now that you mentioned it I will go back and re-check that web page. Thinks for the heads up. I am eagerly waiting Google's new OS.
36 • Article (by AU on 2009-09-21 17:04:22 GMT from Germany)
Stretching words like that makes defining stuff completely useless. You can just as well write "a secure system is a system which is secure".
I consider the definition bad, but I agree that this is just an opinion.
The article covers very little:
The presentation is not very structured in my opinion, and the presentation does not provide much detail. You really have to ask how useful the information is to a Linux user. On top of it it contains inaccuracies. You can call them tangential, but it is misinformation. It shows that the author did not check the facts really well.
"Pardon me if I come across too strong, but I get upset when I see an article picked to pieces, in a non-constructive manner,"
I point out how I see it. If you can't handle that then that is your problem.
37 • RE: 34 - Too Late! (by Eddie Wilson on 2009-09-21 17:05:17 GMT from United States)
"I'm still waiting to get hacked."
Too late. It sounds like your brain has already been affected. Really all jokes aside, I doubt if you have anything anybody would want. Stop acting like a spoiled little kid. It seems to just tear you all to pieces when someone mentions security. It sound like you're the obsessed one.
PS. Want a banana?
38 • Response (by AU on 2009-09-21 17:08:58 GMT from Germany)
@Caitlyn Martin (#29):
You attack all four points I raised. I will respond.
"The security definition came from one of the classic UNIX security books: [...] The expertise of the authors is not in question."
I don't care who came up with that definition ( http://en.wikipedia.org/wiki/Appeal_to_authority ), I consider the definition bad. Let's call it a difference of opinion. However, you write this:
"If someone makes uninvited use of your system(s) for their own purposes without your consent, that definition is no longer met."
If someone walks to the keyboard when I am not paying attention and starts to use the computer, then I can still 'depend on [the computer] and its software to behave as you expect'. It is absolutely ridiculous to claim that the definition is no longer met in this case.
"Your second item in dispute is also incorrect."
You did not understand my 'second item in dispute' (you mean third). I did not claim that plain text passwords were never in /etc/passwd. My problem was that you mixed using hashes with moving the passwords/hashes to the /etc/shadow file. See this quote:
"The basic concept of shadowing is easy to understand. I'll quote Seifried again: "For many years the solution has been quite simple and effective, simply hash the passwords, and store the hash, when a user needs to authenticate take the password they enter it, hash it, and if it matches then it was obviously the same password.""
I have a feeling that this (using hashes) is not called 'shadowing' as you claim.
"As noted by others I can find different definitions of su (what it's called) in different sources but not different definitions of what it does. You are spillting hairs here."
I agree that this was not very important. However, I have spent some time on it now and I think comment 20 is pretty convincing: nowadays su means 'switch user id'.
"The only point you make that has any validity at all is the fact that I could have and probably should have been more precise in my description of MD5. It is a stronger cryptogtaphic hash than what was previously used. Having said that, hashing is, in itself, a form of encryption. However, you are correct that it is not an encryption system in and of itself."
I disagree. Hashing is NOT a form of encryption.
"In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted)."
Hashing does not create a ciphertext and there is no way back to plaintext. There is no decryption.
To make it even clearer: with hashing information is lost, with encryption no information is lost.
You make this into some kind of battle. That was not my intention when I wrote my first comment. I was simply trying to warn readers that the article is not very accurate. I still think that is true.
39 • RE: Point them out. (by Eddie Wilson on 2009-09-21 17:10:44 GMT from United States)
@au, If there are inaccuracies then point them out. Not with your opinion because that means nothing. Point it out with facts. I would like to know if what you say is true.
40 • Re #36 @AU (by Pearson on 2009-09-21 17:34:06 GMT from United States)
I respectfully disagree with you opinion that the article covered very little - it covered three important topics and serves as an introduction for more articles.
Ms. Martin included a *lot* of good information - including how to use su and sudo, why password aging is important, a brief history of passwords, an overview of users/groups/passwords, and much more. You pointed out a few "inaccuracies" - and some of those are questionable - to label the article "not very accurate." Will you decide that the entire book she cited for her definition is "not very accurate" because of that one quote? How many inaccuracies are allowed for an article to be considered "accurate"?
Please, be *constructive* when you point out what you believe to be inaccuracies. It's called respect. We can use a lot more of that - here on DWW, the internet in general, and societies in general.
41 • ChromeOS is fake (by crash9 on 2009-09-21 17:40:24 GMT from United States)
This was already pointed out. But, it should be noted that the above link to ChromeOS is a google sites address, as opposed to an official Google address, with a SuseStudio build containing Chrome and Openoffice.org on an OpenSuse base. The virtual machine they offer does not conatain the new windowing system Google spoke of or any of the many Google tools that I'm sure will be on a Google OS project.
42 • Stupid Haxors Got Too Much Time (by CRAP on 2009-09-21 17:41:24 GMT from Philippines)
It's always nice to see some new distro posted here on distrowatch and predict how long it will take those haxors to realize that they've got too much time on their hands.
Yeah I like to put cowsay and fortunes in a terminal so I'll make a new distro oh and yeah I'll change the brown to green and put some codecs on it because ubuntu didn't have those. And finally I'll convince users its more stable than Ubuntu ... DUH!
Ever wonder why we have 1,000,001 distros?Geez.
43 • Props to Caitlyn Maritn (by Gnobuddy on 2009-09-21 18:01:28 GMT from United States)
Just wanted to tell Ms. Maritin thanks for a good article, and thanks for your balanced and mature response to the twit who tried to start a "mine's bigger than yours" shoving match with you. We see so much knee-jerk reactivity that it is a pleasure to see someone stay on an even keel in such a situation.
44 • More responses (by AU on 2009-09-21 18:01:35 GMT from Germany)
@Eddie Wilson (#39):
Eddie Wilson, did you read comment 38 and comment 13 and comment 20? I back up my claims. I try to provide sources. How far do I need to delve into all of this? I don't get paid for my comments.
"it covered three important topics and serves as an introduction for more articles."
I agree with that and I pointed that out in earlier comments.
"Will you decide that the entire book she cited for her definition is "not very accurate" because of that one quote?"
No. I have no opinion on the book.
"How many inaccuracies are allowed for an article to be considered "accurate"?"
When there is information in an article that I consider wrong, I begin to doubt all information in it. I think that is natural.
In other words, if the inaccuracies are presented as truths and not preceded with 'I think' or 'I believe', then very, very few inaccuracies are enough to make me suspicious.
"Please, be *constructive* when you point out what you believe to be inaccuracies. It's called respect. We can use a lot more of that - here on DWW, the internet in general, and societies in general."
I *am* constructive. I wrote how I felt about the article. I tried to explain why I had this opinion and I tried to remain positive. My comments were not meant to be hostile at all.
45 • Test, just a test (by XRumerTest on 2009-09-21 18:05:40 GMT from United States)
Comment deleted (off-topic).
46 • AU makes some fair points (by Anony Moss on 2009-09-21 18:09:28 GMT from India)
While the article may be good, and CM certainly does write some informative articles, why is everyone jumping on AU when he is raising some legitimate concerns with this particular one?
A few shortcomings in an article does not mean it wasn't useful. Let's not get too defensive here- criticism is healthy and should not be taken too personally. Everyone is fallible. I, for one, did not find AU's posts disrespectful or destructive.
47 • Security (by Anonymous on 2009-09-21 18:28:51 GMT from United States)
I'm having the opposite problem, general users can't get read/write access to their own windows or data partion on the same drive.
Some will give read only, others flat reject without a password screen with a security violation or a "no user mountable partition" message. It is making it hard for the user to get their job done or having to resort to a floppy or a USB key drive to keep their files.
48 • RE: 38 (by Anonymous on 2009-09-21 18:46:17 GMT from United States)
The complaining over hashes vs encryption seems to be about as pointless as the battle over the "true" meaning of su. Arguments that must be qualified with things like "nowadays it means this" and with definitions from wikipedia are next to worthless without more information.
What it comes down to is that functionally the encryption process and hashing are nearly identical. What you cannot do with a hash is decrypt it, which is a separate process. Even the wikipedia definition was weak on this point stating that "In many contexts, the word encryption also implicitly refers to the reverse process, decryption", one of those contexts must refer to when you're trying to be difficult on a message board. It's not encryption, it's a related cryptographic tool....bleh. speaking of tools
49 • Good work on the article (by Ubuntu Two on 2009-09-21 18:50:07 GMT from United States)
Very nicely done. I like these informative type articles.
I have to agree with comment 9, though. Changing your password too frequently really just opens the door to users storing their passwords in an insecure manner, which has the net result of less security, rather than more.
50 • Mandriva KDE4 (by Anonymous on 2009-09-21 20:04:34 GMT from Italy)
I have found the Mandriva implementation of KDE4 the best one so far.
The main reason is because it behaves a lot like KDE3 (but there are still some KDE3 features missing).
51 • #34 (by Notorik on 2009-09-21 20:23:35 GMT from United States)
I have to agree. Especially since I am using Puppy to post this. As I have stated repeatedly, (to quote me) "it's all poppycock".
We have some real confusion over enterprise administration and home user security. You should not apply the same standard to the home user as you apply to an enterprise. I don't care about running as root. In fact I get pissed off when a distro tries to restrict me from running as root. Don't you dare try to tell me what is safe or not safe on my own computer. Sure I have f'd up my system but so what? I have learned volumes by doing that. It is an entirely different matter if you are working for someone and you screw up the whole system.
There is no such thing as absolute security. You probably shouldn't ever use your credit card for anything over the internet. Online banking is probably a bad idea too but most people do it and if you have a secure encrypted connection it's reasonably safe. But the person at the bank could steal your money so this whole thing is smoke and mirrors to keep "security consultants" in business by creating paranoia among those who are less knowledgeable than themselves. Apologies to those who disagree with me (including Ladislav), this will be my only post on this topic.
52 • security (by BSD User on 2009-09-21 20:29:28 GMT from United States)
Caitlyn Martin try to help users and AU too. BTW I didn't saw any attack from AU.
But what is the catch? The users who like Unix and want to learn about Unix they know how to secure or they have books or find help online or...
But users who think that Unix is safe by itself don't care about AU or Caitlyn Martin posts or spending time for searching on the Internet. And there are many Linux distro which security is questionable.
It is my opinion.
53 • @46 (by Moose-n-bear on 2009-09-21 20:36:09 GMT from Canada)
I think there are two reasons some people didn't respond well to AU's comments. The first is probably a language/cultural thing. AU's wording might come across as strong to some people. Words like "inaccurate" "attack" and "trust" are likely to trigger a response, whether it was meant to be offensive or not. I, for one, believe AU isn't trying to be offensive, perhaps just offering some different points of view.
That being said, I think AU's complaints against the article are the second cause. Two point raised appear to be from misreading or misunderstanding the information provided in the feature. The other two are, as Caitlyn put it, hair splitting. The "su" debate is pretty silly, any UNIX admin in the past twenty-five years would recognize either "switch user" or "super user". And, for a high level over-view of security like this week's feature, encryption and hash are close enough that, again, we all know what's being talked about.
In short, there's no misinformation or obviously incorrect statements in the article and to continue to state otherwise is, I think, pretty pointless.
54 • Chrome OS (by matyas on 2009-09-21 20:37:33 GMT from Argentina)
I don't think that is the official page for Google Chrome OS.
55 • No subject (by Anonymous on 2009-09-21 21:10:35 GMT from United States)
Comment delted (off-topic).
56 • To be, or not 2 B, safe and secure. (by John Herbert Dillinger on 2009-09-21 21:15:28 GMT from United States)
I'm not obsessed with security either, but I found some interesting info in CM's article.
But this statement:
"Kurt Seifried, in his Linux Administrator's Security Guide, writes: "You only need to make one mistake or leave one flaw available for an attacker to get in. This, of course, means that most sites will eventually be broken into." He adds: "All technical security measures will eventually fail or be vulnerable to an attacker. This is why you must have multiple layers of protection."
I found at best entertaining. How about this - If I make one mistake and leave my front door open, someone can come in and empty out my house.
There are those, like CM, that are paid to make clients "feel" safe. So in the end, is it any wonder that security is on her mind most of the time. I would rather learn Linux than have to always be reminded to keep my "front door locked" - God, is it lock, maybe I should check, I hope its locked, ad infinitum.
I suppose I depend to much on the devs that they keep my Linux distro secure, so I don't have to worry so much.
57 • OpenBSD is not delayed (by Pau on 2009-09-21 21:31:06 GMT from Germany)
... but follows its original schedule:
"we will go back to the standard Nov 1 schedule"
Date: Thu, 17 Sep 2009 17:41:12 -0600
From: Theo de Raadt
Subject: 4.6 postponed to Nov 1
The 4.6 release will be postponed to Nov 1.
There have had serious CD production problems. Because everything in
CD manufacturing is so ridiculously outsourced, all I know is that the
plant which was used this time (Q Media services Corp in Vancouver)
have made about 6 faulty CD pressings in a row. I will stop saying
more, otherwise this will quickly turn into a rant.
We intended to release on Oct 1 because the tree was frozen earlier
(as jj has described on undeadly.org, this was so that the f2k9
hackathon could occur in August, with an unlocked source).
But we will go back to the standard Nov 1 schedule. Sorry about
Thank you very much for those of you who have pre-ordered.
58 • Aha (by Nobody Important on 2009-09-21 21:42:33 GMT from United States)
I stay off the DWW for a week or two, and come back to find the usual. I'm unsurprised.
Nods to Notorik for continuing to spout his nonsense - it's entertaining as ever. It would work better as a satire.
The rest of you can keep on truckin'.
59 • Balance of main article. (by Jasperodus on 2009-09-21 22:22:10 GMT from United Kingdom)
The definition of a computer behaving as expected:
Made sense to me as soon as I read it - I think it is completely valid.
Again, I have only known it as superuser but, even if it was given as switch user or substitute user it would not have bothered me at all - I would have understood (which is the main thing, right?)
Problem is, it's always going to be a case of the information is too detailed or not too detailed for some. I believe that quite often the motivation for people who try to find fault, and nit-pick, is to demonstrate their 'cleverness'.
Anyway, I found the article to be a nicely weighted introduction.
60 • feature story - linux security (by Ken on 2009-09-21 23:11:42 GMT from Australia)
Thank you for this, i look forward to the up coming additions to this feature. Most helpful, cheers.
61 • Security (by JD on 2009-09-22 00:24:57 GMT from United States)
Everything in this article is very valid and I agree completely ! I just hope my passwords are strong enough. But who in there right mind would hack someone on very slow DSL like mine? I mean come on!, it'd be torture for both of us!
And on another note:
I'm very glad to see many more women contributing to Free Software World!
and hope to see a continuation of the great trend because they can bring alot to it I think.
62 • ChromeOS link a fake (by alanbcohen on 2009-09-22 01:59:21 GMT from United States)
I haven't read thru the other comments here; I just got home and went to download from the 'chromeos' link you provided only to find it is a fake, linking to 'http://susestudio.com/'. That is sufficient reason to me to avoid Suse with a passion and make me question how well you researched this item before passing it on.
63 • RE: 62 ChromeOS link a fake (by ladislav on 2009-09-22 02:08:52 GMT from Taiwan)
What's with all this "fake Chrome OS" comments? It's a real distribution based on openSUSE. What's "fake" about it?
The only problem is that the download link no longer works (it worked last week). If they don't fix the link soon, I might be persuaded to remove the entry from this week's DWW, but I still don't understand why so many people think it's "fake".
64 • Ubuntu Karmic Installs (by Chris H on 2009-09-22 04:13:26 GMT from United States)
Pardon the new thread, but...
I've installed the karmic alpha 6 on several machines.
I'm using the 'alt', 'debian installer' version
to prevent install failures even if
the graphics card that I'm using isn't supported yet.
My computer with an ATI Radeon HD 4550 card
had that problem, but booting into the 'recovery' mode
allowed me to update the system,
and karmic is working just fine on that system
in addition to several other systems.
There are lots of updates to download.
I like that.
The weird thing about karmic is that
it only uses 'grub-pc', aka 'grub2'.
If you want boot karmic from another distro's partition,
you have to manually insert a grub stanza
that you've created with information from
karmic's /boot/grub/grub.cfg file
into the 'menu.lst' file on that other disto's partition.
If you do a Ubuntu 904 install after
the karmic install,
Ubuntu 904 will create the required karmic 'menu.lst'
stanza for you.
65 • Good article (by Joe on 2009-09-22 05:42:31 GMT from United States)
Caitlyn, good article on Linux Security Basics. I found the article to be an interesting read and I look forward to the rest of the series. As always, I enjoy reading the articles on this site and the content rarely disappoints.
For years, whether working with Linux or Unix, I've seen su described as switch user and superuser. It temporarily substitutes another user ID for your own, with root (superuser access) as the default. I have numerous books in my library that provide both terms (usually in the same sentence) for the command su. Either term should be acceptable, although IMHO superuser is more widely used.
Reading the comments section can be very rewarding as well, since many of our fellow Linux enthusiasts provide good advice, often accompanied by links to additional related information that helps round out the topic. Occasionally, someone makes a point of contention, and we all learn from the ensuing discussion. DWW is a much better read when the comments are constructive.
66 • Ref - 63 • 62 ChromeOS link a fake (by Anonymous on 2009-09-22 06:14:22 GMT from United States)
I think confusion is the word to use. GoogleOS vs ChromeOS. There's a difference.
67 • Simple security check (by John Richards on 2009-09-22 06:41:08 GMT from United Kingdom)
I know this is very untechnical and quite insufficient by itself, but I always find it very reassuring when the WLAN or LAN contact light for my machine on the router/modem stays continuously steady for long periods of time, when I am doing non-linking activities on the machine - except of course when it is checking for updates. If it started flickering regularly I would suspect intrusion, and perhaps even a botnet. But of course I also apply the more technical anti-intrusion techniques.
68 • No subject (by Pingus on 2009-09-22 06:58:50 GMT from United States)
Maybe fake is not the proper term. Misleading would be more accurate as people are making the assumption the ChromeOS is the distribution from Google.
69 • @ 63 re: "Fake Chrome OS" (by Anonymous on 2009-09-22 07:19:54 GMT from United States)
It's based on Suse, you'll find certain individuals that can't resist spreading Fud about it. Some people seem to have made a full time job complaining about them.
70 • FreeBSD+Gnome (by Equimanthorn on 2009-09-22 07:21:52 GMT from Italy)
I find some freebsd distro using gnome as the default wm:
http://www.truebsd.org/ (live dvd+install)
http://www.ghostbsd.org/ (live dvd + install in the nexts version)
http://freebsd-custom.wikidot.com/start (custom iso using xfce or gnome)
71 • Kahel OS (by jdetras on 2009-09-22 08:12:01 GMT from Philippines)
I thought I am mistaken when I read about Kahel OS. I know for sure that it is a Filipino word but I did not bother to look into it earlier when I read Distrowatch. It is just now that I re-read about the new distros that I found out, Kahel OS is really a Filipino distribution. I am surprised about it. BTW, "Kahel" = "Orange". Glad to hear that there are other Filipinos working on a developing Linux distribution.
72 • No subject (by Anonymous on 2009-09-22 08:40:18 GMT from United States)
The most common are su, short for superuser, and sudo, short for superuser do.
Should be "Switch User" instead of superuser.
73 • Re: SU (by Anonymous on 2009-09-22 09:19:39 GMT from Canada)
I'm a newb, but man su:
"su - change user ID or become superuser"
If true, in context the article would be best to say, "The most common are su, short for [become] superuser."
74 • RE: 63 "RE: 62 ChromeOS link a fake" (by Julian Andres Klode on 2009-09-22 13:12:17 GMT from Germany)
Google announced at http://googleblog.blogspot.com/2009/07/introducing-google-chrome-os.html an operating system called "Google Chrome OS". The ChromeOS listed here is not this OS, and is not supported by Google in anyway. It will just cause confusion to include this OS in the list.
75 • Excellent Article (by Jason on 2009-09-22 13:43:46 GMT from United States)
Caitlyn, thanks for the wonderful article/intro on linux security. While most of this information is already stuff that I know, it's always nice to go back over the basics and see things laid out in a format that is accessible to newer users and aspiring system administrators. I look forward to the next installment. Keep up the good work!
Once again Distrowatch proves itself to be an invaluable resource to the *.nix community.
76 • Re:63 & 62 & "Chrome OS" (by Sam on 2009-09-22 14:05:25 GMT from United States)
Agreed. Even if the distro is legit (and the developer gets the website working again), it takes the name of Google's forthcoming operating system. Would Distrowatch provide a link to an OpenSuSE respin I'm planning to make called "Windows 7" ?
77 • RE: 74, 76 (by ladislav on 2009-09-22 14:13:26 GMT from Taiwan)
OK, fine. Since you guys don't want to see it here and since the download doesn't work any more, I've removed it from the list. But as for the "Windows 7" analogy, you know the answer already - the name wouldn't last very long irrespective of whether I'd link to it or not.
78 • Thanks..... (by Jasperodus on 2009-09-22 14:22:06 GMT from United Kingdom)
.....to all who must have spotted the 'howler' in my earlier post (59), but did not feel the need to cause me a little embarrassment:
"......or not too detailed for some"
Yoikes!, didn't think about the wording very well did I?
Now, where did I put that embarrassed emoticon?
Anyway, as far as I am concerned, the article was nicely balanced :)
79 • #58 (by Notorik on 2009-09-22 15:19:21 GMT from United States)
Nothing to say so you take a "swipe" at me? Don't be hatin'. Thanks for the "nods":)
80 • Thanks, Caitlyn and Ladislav (by Michael Raugh on 2009-09-22 16:40:18 GMT from United States)
Greetings, all! A few thoughts, in no particular order:
Loved the security article by Caitlyn and I'm very excited to see the future installments. Reading security manuals is often a chore; by putting essential information in this short, accessible format Caitlyn and DWW are doing a great service to the home and SOHO Linux user. That, if you ask me, is extremely cool and while it's always possible to nitpick or call oversimplification the message is sound and easy for the target audience to follow. That, ultimately, trumps pedantry.
@14: Sudo isn't there to protect people from making mistakes as root, Mandiveiro; it's there to make it more convenient to use root power when it's needed, and under reasonable controls (such as a limited set of commands, requiring the user to re-enter their password first, etc.). I started out on Fedora and SUSE, without sudo, and then added Ubuntu which uses sudo by default. After a little while I came to prefer sudo even to "su -" because of the logging. I use it in my work environment so that multiple admins can work on a box and keep a decent audit trail of who's doing what.
@33: Jesse, it's a point of consensus among the security folk that I hang out with that if you have physical access to a system you own it. You really can't lock down a system to prevent a local take-over, though you can (through disk encryption, for example) take steps to make it extremely difficult for anyone to read your data after they do.
@62 (and others who noted the "Chrome OS" thing): Bear in mind that SuSE Build Studio is a tool; anyone can use it to create an OpenSUSE respin and name it anything they like. Clearly this points out a need for a little more supervision of the site by OpenSUSE but I wouldn't call it a reason to disown the whole organization. Your mileage may vary, as always.
Just as an aside, I'd like to see a new principle take hold akin to Godwin's Law but stating that the moment anyone cites Wikipedia as an accurate or authoritative source on *anything* they automatically lose the argument. ;^)
81 • Re: 80 (by Mandriveiro on 2009-09-22 17:14:50 GMT from Spain)
I know that sudo can be configured to let different users use only certain specific commands, and that's very useful and much more secure.
What I don't see is the reason to remove a security layer by using sudo+first user's password, instead of a different password (say root if you want to) for _full_ access to the system. I'm afraid that many people running servers just have one user and one password for everything.
And of course, a system with a root password can also be broken into...
82 • @80 (by Sean on 2009-09-22 18:10:24 GMT from United States)
Michael Raugh said, "You really can't lock down a system to prevent a local take-over, though you can (through disk encryption, for example) take steps to make it extremely difficult for anyone to read your data after they do."
That is an excellent point.
At our facility we've started a tiered password behavior for all users on all 17 machines. Since its inception, still in experimental stages and it is at a school so we are wary, we've had zero intrusions **that we know of**.
Multiple user computers need this system in our opinion, if it is feasible in a given environment (we got it from the computer gurus at SAC).
83 • BS (by RollMeAway on 2009-09-22 20:18:26 GMT from United States)
I come here, to Distrowatch, to find the latest information about linux distributions.
While security is certainly important to any distro, and I did find the article interesting, to devote all comments to it is a waste.
There are countless websites and books devoted to security. Go there, read them!
Everyones time is wasted with "he said", "she said", misspelled words!, didn't dot that i, forgot to cross this t.
Could we discuss distributions?
84 • Inaccuracies in Article (by Anonymous on 2009-09-22 21:12:06 GMT from Australia)
There have been comments about inaccuracies in the article, and discussion about whether these comments are positive or negative.
It may be a good idea to have two different ways of submitting comments. One as is, to be posted on the forum, and another to send a private message.
If someone notices an inaccuracy, they can send a private message, and the article can be corrected.
85 • #83 (by Elder V. LaCoste on 2009-09-22 22:57:25 GMT from United States)
First thanks to Caitlyn for an interesting and informative article. My personal preference would also be to focus on distros but it is refreshing to read something a little different once in a while. DWW is read by a diverse group of individuals with many different thoughts and concerns so I don't have a problem with an occasional discussion about something other than distros. Security is an important issue to most of us (Notorik is the obvious and puzzling exception) so a week devoted to it is a week well spent IMHO. I am however still waiting for Caitlyn's review of Dragon Fly BSD which I believe she stated was "definitely on her radar" ....
86 • No subject (by forest on 2009-09-23 00:19:46 GMT from United Kingdom)
Ok, point taken, RMA. I have just tried out the latest offering of Berry (v 0.98), it did not find the wifi so it died for me right there (I only have wifi connection). the screen res did not seem quite right...unless the cat had already lost a number of its 9 lives or, was an entirely new breed unknown to anyone else outside Japan.
Then tried the Easy Peasy on the same machine, Opti 280, 3GHz, 2GB ram, but copied onto a usb stick (using the U9.04 usb writer) and that connected as fast as via wifi, (although in the interests of top security I broke the connection straight away...).
Interesting, if that is correct term, desktop and proved to be a pleasant diversion for an hour or so.
I had tried, prior to this p.m., the latest Puppy (4.3) and that again was stuck onto a usb stick and was fairly fast in the 2GB ram of the m/c. I was particularly pleased with being able to play commercial DVDs without any nonsense and with all the on-screen menu fully functional.
Ref your comment about discussing distros...never forget the old saying...one man's meat etc, etc. (and woman lest I'm accused of being sexist.).
Apologies if you have latched onto this wheeze already...but have you set up "your" google alerts for anything GNULinux? Believe me you will find more to read that you bargained for...mind you it is worth it for the pro MS rantings of some "pocket" hacks/journos.
87 • Password (by Anonymous on 2009-09-23 00:34:23 GMT from United States)
Are we still limited to only eight character passwords?
What is the current true password length limit?
What happens if you use more than eight?
88 • re #86 - berry berry sad (by gnomic on 2009-09-23 04:12:48 GMT from New Zealand)
Thanks for reminding me I vowed never to try Berry again after the last version. OpenOffice wouldn't run on several machines, and left the gui disabled, the only escape was the reset button. Shame in a way, Berry has a nice look and some nice features, but I have the feeling it is a one man band, and testing is done after it has run on the machine it's made on. I stand to be corrected, but the dev is an invisible man, no response to emails. Maybe it works well in Japan? The trend seems to be downhill, it did seem to mainly work back at Fedora 8 or so, but the plot seems to have been lost since then.
89 • #83 SecurityWatch (by Xtyn on 2009-09-23 06:48:46 GMT from Romania)
Yep, someone forgot to tell her that this site is called distrowatch, not securitywatch.
Ever since she came here security has become a prime issue.
All this is just FUD.
Be afraid, be very afraid, your Linux distro is not secure.
90 • Password lengths (@87) (by Michael Raugh on 2009-09-23 11:59:21 GMT from United States)
The old 8-character limit on passwords was a limitation of the old crypt hashing method used in years past. Any reasonably modern distro will readily accept passwords longer than that with no issues at all.
Exactly how long a password can be is a function of the hashing algorithm and how a given distro implements it. In practice most distros that use MD5 hashing can accept a password of 70-plus characters for local authentication, which is way more than anyone would be willing to type.
Mind you, in a networked environment there are other factors that can limit password length. If you use LDAP authentication, NIS, or Samba (Windows) for network authentication that external directory may have a lower limit than Linux itself does. Some LDAP directories stop at 16 characters, and I *think* the maximum for Windows NT/Samba 3 is 31 (but don't quote me on that).
91 • Security in Linux Distributions (by Sean on 2009-09-23 12:13:43 GMT from United States)
How is discussion of security in distros not discussion of distros?
92 • Security - Password aging (by VernDog on 2009-09-23 14:13:41 GMT from United States)
Someone already mentioned it, but what's the theory behind changing passwords every short period of time. If they meet the requirements. Without giving a knee-jerk reply, what's the purpose?
If your thinking someone is approaching your password by some cracking means then they would due it anyway whether you change it or not.
Also as I stated, when you have to keep changing passwords all the time you fall into the habit of posting it under the keyboard or under your coffee cup because you can't remember the new one. You get lacks. I have a complicated password and I have NO intention of changing it. I have it posted deep within my brain :)
93 • #92 (by Notorik on 2009-09-23 14:51:02 GMT from United States)
What is it?
94 • @92: Changing passwords (by Jesse on 2009-09-23 14:54:54 GMT from Canada)
Changing a password every so often is good for a couple of reasons. In an office environment, it means that any shared accounts are protected when an employee leaves. Lots of IT departments have multiple admins and you wouldn't want a former employee using the root password.
At home there's a bit less obvious use. Though if someone does guess your password, changing it on a regular basis mean someone who has managed to guess/crack your password needs to do so over again.
Rotating passwords also means there is a time limit on cracking your login. Let's say someone tries to ssh into your machine and they're trying to brute force your password. If your password is static, eventually the attack will work. It might take a long time, but it'll work. If your password is changing, you're a moving target. Using long, complex passwords and changing them often means brute force attacks have very little chance of success because the attacker isn't going to keep repeating combinations already tried.
If you have trouble remembering a password, try to come up with a theme or formula. It can be a lot easier than remembering the exact combination.
95 • No subject (by forest on 2009-09-23 16:28:42 GMT from United Kingdom)
A brain is the organ employed, by most people it would seem, to prevent their skull from imploding Notorik...
Ref changing PWs on a regular basis, the ex once worked for an American company with offices in UK. Their business was in top grade adhesives, and, consequently tney employed top grade IT folk.
The IT director took the entire issue of security so seriously he would know, obviously, if a PW had not been changed as per mandatory staff instructions.
If said PW was not changed the culprit was summoned to their line manager to give an account of themselves. If it was suspected a person had divulged their terminal's PW to a third party, or even if they went for a wee and left their terminal open unattended they got their ears bent, hard.
This practice meant security was on the forefront of everyone's mind and went partway to preventing the above mentioned lax behaviour.
Which just goes to show there's not really crap security...just crap staff and their crap practices.
96 • Some responses (by Caitlyn Martin on 2009-09-23 18:52:09 GMT from United States)
#85: @Elder: There will be no review of DragonFly BSD from me. It doesn't work on my hardware. I was ready with a review of PC-BSD 7.1.1 but since we had a review of 7.1 Ladislav nixed it. Either FreeBSD 8.0 or PC-BSD 8.0 will be the next BSD review.
#87: Michael did a good job of explaining the history of the old eight character password limit (see #90). The main reason to stay with eight characters today would be if you have a legacy system on your network and want to create a single sign-in. Most of my current passwords have 10 characters.
#92: @VernDog: I think Jesse gave an excellent answer to your question in #94, one I can't improve on :)
#56: It's not about making my clients "feel safe". I've done a lot of work recovering from security incidents after that fact. That's lucrative work since it's always time consuming. Customers generally want to know why and how it happened, meaning lots of billable hours doing forensics on top of restoring things and securing them. It's still a pain, both for myself and my customers. My security award, the one from Lockheed-Martin that hangs on my wall, isn't for preventative measures. It's for recovery after the fact.
The reason security is important to me and to every professional systems administrator and network administrator I know is precisely because we all know and have dealt with the consequences of lax security too many times.
Regarding sudo: The value and wisdom of the Ubuntu implementation of sudo is certainly open to legitimate debate. I think the folks at Canonical are striving for a balance betwee ease of use and security. Their way is certainly not optimal in terms of security.
Having said that, there is no doubt that using sudo as Ubuntu uses it is far superior to just running as root. You're only acting as root for limited times and limited actions. You can also enable logging using sudo.
I generally prefer to prefix commands with sudo rather than just using sudo to open a root shell. Yes, it's five extra keystrokes per line but that way each step can be logged. In my professional work being able to backtrack what was done has made it much, much easier to track down and correct mistakes. Of course, launching some scripts and GUI apps from the command line as root often does require doing so from a root shell.
Finally, I just hope nobody takes the advice of those who call concerns about security "poppycock" or "FUD" or "paranoid". They will come around after they have lived through the consequences of a really nasty security incident. The old expression "ignorance is bliss" applies perfectly.
Next week's article will be a distro review. The next security article will be next month sometime.
97 • passwords (by glasid on 2009-09-23 23:11:35 GMT from United Kingdom)
I have lots of accounts that require user names and passwords so how do I remember them all? I write them all down in .doc format and them upload them to an email account so I can access them anywhere anytime.
This probably isn't the most secure method to store passwords but there is no way I could remember so 30+ user name and password combinations.
Does anyone else have a better suggestion?
BTW, su must stand "super user", not "substitute user" or "switch user". If it was the latter bash would ask you 'which user'?, not 'password'?
Also, IMHO, most Linux OS's are still in the multiuser workplace mentality and haven't actually shifted to the single home computer user - which is probably 95%+ of all users these days. Do you think there many families left that all share one computer?
98 • @97 (by stuckinoregon on 2009-09-23 23:23:53 GMT from United States)
Why not use a cross platform solution such as keepassx for storing your passwords in an encrypted database? Then just take that with you on a usb keyfob.
99 • RE: 97 *.doc format? (by ladislav on 2009-09-23 23:33:49 GMT from Taiwan)
I write them all down in .doc format and them upload them to an email account so I can access them anywhere anytime.
Well, if I want something to be accessible anywhere anytime, then the *.doc format is the very last on my list.
Why are there are so many people who seem completely obsessed with the *.doc format? Isn't plain text (*.txt) infinitely more portable? Sometimes I go crazy when people send me email with an attachment in a *.doc or *.pdf format containing nothing more than a few lines of ordinary text. Crazy!
100 • Security (by Joe on 2009-09-24 00:51:12 GMT from United States)
In my experience, too many computer users think of IT security as an "inconvenience". It'll never happen to me! That is, until their data or computer gets hacked or compromised. Cleanup can be very time consuming and expensive. And, there are no guarantees that all of your data can be recovered.
If you're one of the ones who think security is overblown, it's likely you haven't been hacked, or had to "clean up" after someone who let their guard down. I hope you never fall prey to any of the methods that hackers and criminals use to spread malware or to create botnets. And, there are always the script kiddies armed with the latest exploits. If you're lucky, your system may never get compromised. But, why take the chance?
Basic security doesn't take much work. Create a user account. Use good passwords. Keep your system updated. Most basic security measures only take a few minutes to implement and, in most cases, can be implemented regardless of distro choice. Or, take it a step further and change the default username and password for your router. If you use wireless, set up security (WPA2 would be my choice -- hardware permitting); and don't use a SSID name that lets everyone know who you are, or entices someone to try to log onto your wireless network. At a minimum, like a lock on a door, your measures will keep honest people honest and may very well persuade a determined hacker to pass you by as they look for easier prey.
@93. Nice try Notorik ;-) @95 Funny response Forest.
101 • re: AU (by nix on 2009-09-24 02:17:44 GMT from United States)
As far as I know su is short for 'substitute user ID', not 'superuser'. Su can be used to change to other users than root.
Actual; I have heard su stand for:
Substitutitue user (rare)
Checking the man page:
su - change user ID or become superuser
Well, based on the name description; you can see where the "superuser" phrase may be implied / applied.
102 • Berry-0.98 (by RollMeAway on 2009-09-24 03:06:30 GMT from United States)
I have tried Berry in years past and it worked reasonably well.
My last try was last December, the 0.94 version.
Had numerous problems, and no place to find resolutions. Gave it up, moved on.
0.98 failed to run for me.
All my computers use IDE drives (even those with SATA capability).
Fail message said it could not load "/modules/ide-cd" .
It couldn't find the CD it booted from.
103 • No subject (by Anonymous on 2009-09-24 03:58:12 GMT from United States)
Can we give up on the "su" name already. It's been thrown around like a hot potato.
All you need to know is how and when to use it. Nickpicking, that's all it is.
I use a zip file to store my passworks in and then pawword protect that file. The file inside is a TEXT file. And I agree ladislav.
104 • Su again (by AU on 2009-09-24 06:08:14 GMT from Germany)
I see there are still readers interested in the meaning of su.
I think that my previous comments (13 and 20) uncovered nicely what the situation is. I will sum it up once more, because there is still discussion going on:
Originally, the su program was a very simple program which had only one function: to make the user superuser. The programmer added the following comment to the source:
/* su -- become super-user */
This shows that the programmer meant su to be short for super-user.
Later, more functionality was added to su. The programmers who created the current implementation of su have placed the following comment in the source code:
* su - switch user id
This shows that they intend su to mean 'switch user id'.
These are the facts. You can choose what you want to make of it yourself.
105 • No subject (by forest on 2009-09-24 09:27:00 GMT from United Kingdom)
Ref # 102
RMA, never had any real success with the Berry collection. I begin to wonder if some of these one man and his chow distros are really worth the effort of trying...I speak personally here btw.
If, as has been suggested, they are supported as and when, through no fault of the developer I hasten to add...(s)he has to eat and earn a crust sometime, LOL...it stands to reason they cannot really offer the same support as Canonical say.
This is NOT to say these ventures are a waste of time universally, but a distrohopper has only so much time to devote to a hobby and there are so many choices around.
I for one prefer to try out a "sure thing" which does not need hours of trawling thru' help forums only to discover "your" particular hardware is not supported either because it is too ancient or too cutting edge.
[Case in point for me is that I have yet to find a distro which supports 802 draft n devices. I'm not saying there is no support out there...just that I have not found it.]
That said some of the bigger, better supported distros do not always come up with "universal" wifi support either...and I include a, b/g let alone n.
Just tried the Triquel and that did not find the wifi. Parsix on the other hand was another one of those Uxx based distros that performed very well and needless to say found the wifi and connected without fuss.
And, whilst on the subject of distros worldwide, I too would like to read more views/comments on "national" distros. Like most people I suspect we have all had our fill of the "su" debate, LOL, there is after all only so much you can say on the definition without repeating, in slightly different terms, earlier posts.
106 • No subject (by forest on 2009-09-24 09:42:44 GMT from United Kingdom)
Still on the wifi theme...you may have read of the fears that some folk have about the RF radiation. Very fortunately a UK estate agent (realtor in US speak?) has found the solution:
Thank goodness we take these things seriously in UK...
107 • @97 (by Michael Raugh on 2009-09-24 11:56:24 GMT from United States)
I'm fond of Password Gorilla (http://www.fpx.de/fp/Software/Gorilla/) myself. It's cross-platform, simple to use, and keeps the passwords in a standard format readable by PasswordSafe and compatible apps.
108 • Re: #97 - passwords and su (by Pearson on 2009-09-24 16:19:34 GMT from United States)
One approach to maintaining passwords is to use a "password algorithm" that you can remember. Maybe something using the first letter of the site, incorporated into a "passphrase" (or the first letters of each word in the phrase) easily remembered.
For instance, you can make the password simple like "DontCare" if it's for something trivial like reading a newspaper.
For the bank, I definitely recommend an obfuscated passphrase. Take some quote that you can easily recall, use the last letter of each word, capitalizing the nouns, and use numbers as you can (if the word is "great" then use 8).
109 • No subject (by forest on 2009-09-24 17:51:08 GMT from United Kingdom)
On the topic of passphrases why not simply invent something so unlikely it could never be guessed easily, (if you know a quote so will some computer...) eg:
ShakespearesurvivedsolelyinashackinStratford, or, SantaClaussteadilysipssangriainsunsaturatedSahara.
Numeralise (sic) the letters where possible...uppercase the nouns or pronouns or verbs or prepositions wotever and use alliteration, as above, to help you remember. Or put in spaces every so many characters, actual words not withstanding.
Anyone trying to unravel that lot would think you demented and probably give up.
110 • RE:47 Security (by Anonymous on 2009-09-24 17:53:00 GMT from United States)
There needs to be a way for a user to log into another partition with read/write access without SUDO or giving root access. Some are booting puppy to get around this.
111 • Storing passwords (by Jesse on 2009-09-24 18:26:10 GMT from Anonymous Proxy)
My rule of thumb is that you shouldn't write down passwords at all. And they should never be stored some place like a .doc file or .zip file. Both are trivially easy to get into, whether those files are also password protected or not.
If you really have too many passwords to remember, and you must write them down, put the passwords on a piece of paper in your wallet. You are must more likely to notice if your wallet is missing than if someone has broken into your e-mail or taken your USB key. Some times the most simple solution is best.
Word, text or zip files are very easy to copy or sniff over the network.
112 • No subject (by forest on 2009-09-24 18:31:38 GMT from United Kingdom)
Do I take this to mean that if an attacker has physical access to a machine, they need only start up the machine with a "recovery" disk, do the thing with the BIOS boot up selection and...recover your data?
I can understand why some organisations have staff machines with no physical "ports" at all.
Perhaps CM might touch on the notion of encrypting folders and files as well?
The more you learn the more you find you did not even suspect...I can forsee another google session.
113 • Boot multiple distros over the internet (by RollMeAway on 2009-09-24 19:57:57 GMT from United States)
If you have high speed internet, this may be of interest to you.
I just burned a 576 Kb (not Mb) iso to a CD (floppy and usb images available).
Booted the CD, and selected "Debian Live LXDE" from a large selection of distros.
Although it took several minutes due to my network, it really worked!
I did have to create /etc/resolv.conf in order for firefox to access the internet.
Perhaps after you get your passwords all copied to yellow stickies, and tucked in your shoes, OH and look up the latest definition of 'su', your might want to look into an interesting approach to accessing linux and BSD distributions.
You can select an installation or live version of several distros to boot.
Better unplug your hard drives first, so no bad guy can access your data!
114 • #113 (by Notorik on 2009-09-24 23:13:47 GMT from United States)
...and remember to always wear your foil hat.
115 • Stupefied (by Landor on 2009-09-24 23:20:56 GMT from Canada)
I saw an analogy between your door locked and repeatedly checking it. I found such a thing completely and utterly absurd to say the least.
When a person leaves their home they leave it with the sense that it's as secure as they can possibly make it. When you buy a lock (of any sort) you buy one that fits the needs of being "properly" secured. You don't buy something that could be twisted off, easily worked around.
From the dawn of time people have had to deal with other people taking things that belonged to others. In that time we've dealt with the issues as they arose. Go to any mall and listen in the parking lot to the people setting their "built-in" alarms on their vehicles to prevent them from being stolen. If you found out your alarm system was easily compromised you'd most assuredly rectify the matter so your vehicle wouldn't be easily stolen. You can say that your vehicle is worth X-amount of dollars, but in all truth, how much is your identity worth? Credit information?
In the sad state of the world that we live in, where so many are out to take from you by any possible means I find anyone disregarding it simply stupid, nothing more.
The next time you lock your door on your house, set your car alarm, or even see a police officer, remember, anyone who protects their computer as seriously is a paranoid idiot, then call yourself a hypocrite, as well as clueless.
Keep your stick on the ice...
116 • Gnome 3 (by RollMeAway on 2009-09-25 05:12:31 GMT from United States)
Looks like it won't be long before the gnome users get their cart turned over, like kde users did.
117 • Re:@99 (by BSD USer on 2009-09-25 12:35:30 GMT from United States)
99 • RE: 97 *.doc format? (by ladislav on 2009-09-23 23:33:49 GMT from Taiwan)
I write them all down in .doc format and them upload them to an email account so I can access them anywhere anytime.
And distrowatch shoul be about Unix. Looks like that that readers are Windows users.
118 • @114 (by Nobody Important on 2009-09-25 16:33:13 GMT from United States)
Ah, but I'd gladly trade my headspace for a piece of mind about my debit card number. Better to look an idiot than be one, as you so thoughtfully proved today.
Landor, you deserve a high five.
119 • Data Security (by Joe on 2009-09-25 23:09:41 GMT from United States)
I would think that repeatedly checking locked doors might be interpreted as OCD. :-)
Encrypting the data partition may very well be the best security option for homes and small offices. Forest dropped a hint to CM about touching on encrypting folders and files. But, if I remember correctly, you mentioned you have some experience encrypting partitions on your systems. People respect your opinion. Maybe it's time to pen an article for DWW?
120 • No subject (by Lock Me Away on 2009-09-26 01:33:14 GMT from United States)
There's a performance loss using LVM or encrypted files.
Just because your not hearing a lot disagreement doesn't mean this whole security issue isn't taken with just a grain of salt.
Those that work in the field or are paranoid fearful types will have more security than Fort Knox. The rest of us will just take simple steps.
Your really preaching-to-the-choir with all this security stuff. Those that agree will and do use it, the rest of us just don't. Get over it!
An answer to all if takes is just once - Ok, all it takes is just once for a jet engine to fall off a wing and hit me in the head .... get the idea.
You can and will just preach and preach and preach, but in the end it's just you and choir singing its praises.
The rest of us are using password zip files, password that we haven't changed in 30 years. Stuff like that.
121 • Puppy 4.3 (by Notorik on 2009-09-26 05:58:27 GMT from United States)
All you security obsessed potato heads will probably hate this but Linux Magazine has a nice review of Puppy here:
122 • RE: 121 Puppy 4.3 (by ladislav on 2009-09-26 07:14:24 GMT from Taiwan)
You call that a review? To me it looks like three paragraphs of random excerpts from the official release notes the author scribbled down over a tea break.
123 • [OT] Etoile for search (by Flushy on 2009-09-26 10:42:27 GMT from Austria)
This is off-topic, but would it be possible to add the etoile package to the search engine. It's a desktop manager and it would be really nice to see, which distribution offers a recent version of it or which distribution provides it at all.
See all: http://etoileos.com/
124 • Re: #122 Puppy 4.3 (by Andy Axnot on 2009-09-26 12:36:48 GMT from United States)
It certainly is a very brief review, and just gushes over Puppy without considering any downsides. But it is still interesting and informative. It gave me some ideas of things I want to check out in Puppy.
And the comments contributed even more info.
125 • RE: 119 & 122 (by Landor on 2009-09-26 15:30:18 GMT from Canada)
I had to laugh, sorry, but I think you'll find people love to hate my comments or posts more than anything else! :) People just don't like someone who doesn't follow the herd though, that's very common.
I have two reasons why I won't do one on this topic and right now. First I think you'll find CM does cover that topic and second I'm moving plus have my own side projects on the go, as I've said here.
Before I wrote one though I'd like one of the stalwart anti-security lot write one all about why people don't need security on their computers. I'm sure it would provide a great source of amusement for the Open Source Community. Maybe Ladislav would then have a regular comic section in DWW. :)
I usually find that when reading a view with Puppy and totally agree with you. Whenever I go to read a Puppy review I go into it, and usually leave it, with the feeling that it's no different that multitude of PCLOS reviews people were bombarded with a couple years ago. Usually written by a fan, or worse, a fanatical, supporter of the distribution. Obviously this one was no different.
I ran Moblin 2.0 on the Acer Aspire One...I found it extremely bug ridden and a few problems with hardware. What floors me is the belief that this is production ready for an OEM? They have to be kidding. I also read that there's tons of problems across a variety of Netbooks and users also found problems on the application end of things. I really hope they don't try to put it out to the stores on systems. Not yet anyway.
Keep your stick on the ice...
126 • No subject (by forest on 2009-09-26 15:53:28 GMT from United Kingdom)
Ref CM's security article, where there is mention of PWs being changed every minute...see this:
Even if a brainy bloke(ess) invents a way of changing one time PWs really quickly, it would seem even brainier blokes(ess), with a criminal bent, find a way to exploit the situation.
Who says IT education in schools is wasted?
127 • Puppy (by Notorik on 2009-09-26 16:54:58 GMT from United States)
Oh the Puppy haters are amusing! They are more rabid than the Puppy "fanboys". I actually tried Puppy because of all the negative comments here in the DW forum. Ok you don't like the review, so? I have found it to be entirely accurate IME. I just don't understand the Puppy hate. It is number 7 on the DWW charts today, Something must be terribly right with it. The more I understand about what Barry K. is doing with the "Woof" system the more I see that he is the real innovator in the Linux world. Try to get over your preconceptions, prejudices, and preposterous ego fueled rants about security. Take an unbiased look at Puppy. Let's please stop the ridiculous spy vs. spy mentality.
128 • Puppy (by Anonymous on 2009-09-26 18:51:39 GMT from United States)
Go look at the puppylinux.com home site.
The Puppy FAQ has a section just about Puppy security.
There it is wriiten that Puppy is not yet ready for server use.
It was initially designed for client use.
Read it, then comment.
I use Debian Lenny, but I find other distro's interesting.
129 • RE: 127 (by Landor on 2009-09-26 19:26:21 GMT from Canada)
First off, yes, the review is accurate. It's basically just a simple expansion (very simple) of the release notes as Ladislav stated. So as I said, yes, it's totally accurate. It was written with 0 originality by a fan.
You ASSume that I'm a puppy hater. You couldn't be further from the truth. I like BK and the work he's done, though in my opinion Puppy is/was missing a lot to make a true "complete" Linux distribution. I've been following the whole "Woof" project with an open mind and mild enthusiasm. I don't know how good it's going to be, this "distribution base build system" that he's creating, but it sure is interesting to say the least.
What I don't like is some of the community. I don't like fanboys, I don't like zealots, I don't fanatics. I don't like when they swarm in on every single review (let's say like arch recently) where they incessantly try to force feed their rhetoric.
I can't speak for Ladislav, though I highly doubt he has any hate for Puppy (how amusing indeed) but in my regard you're wrong again, as you are/were on the security topic.
You should really try to contain your comments in a more logical fashion. When I see people strongly opposing views here they always seem to "emote".
Keep your stick on the ice...
130 • #129 (by Notorik on 2009-09-26 19:55:34 GMT from United States)
I see you "assume" (capitalization corrected for politeness) my post was directed at you. I don't usually even pay any attention to your posts because I have learned that you tend to regurgitate the cliche of the day. I wasn't directly addressing you or Ladislav. I read through the comments and responded in a general way in order to avoid personal attacks.
Apparently your other point is that the release notes for Puppy are indeed accurate. Good. Point taken and I actually agree with you. I'm not a Puppy "fanboy". I like Puppy and I use it daily running as root. Oooooh scaaaary. Why don't you concentrate on "keeping your stick on the ice" and leave the comments to people who have something to say.
131 • @ 123 re:etoile (by RollMeAway on 2009-09-26 19:58:39 GMT from United States)
The only distro to host etoile, that I could find, is Frugalware.
Unfortunately my attempt to install their 2009/07/16 version failed with a corrupt package, oniguruma-5.6.1-1 repeatedly had a bad md5sum.
No etoile activity in frugal forums, and I am not up to starting any.
Ubuntu provides it in launchpad, but I don't believe they have the current version. This is over a year old:
It appears the only way to check it out, for now, is the virtualbox image provided at the link you gave.http://etoileos.com/
Should anyone have other information, please post it.
132 • RE: Something to say (by Landor on 2009-09-26 20:10:28 GMT from Canada)
I've found the majority of your comments to only be opinion based. There's very little in the way of substance to substantiate even the smallest portion of them.
Since I've finally realised this, and based on your last comment. I'll do the same as you, skip over your comments readily.
I always prefer discussing things with people that are able to do the same in return, on a mutual level of intelligence and respect.
Keep your stick on the ice...
133 • 125, 129 (by Barnabyh on 2009-09-26 22:38:31 GMT from United Kingdom)
Hi Landor, I always read you going on about fanboys, zealots and 'fanatics', seems to be a real preoccupation for you. I've not come across many, if any, so-called 'fanboys'. Most people run several distros at a time, or like one, run it a while, and move on. For me it is mostly a release I particularly like, or a certain need at the time.
Simply liking a distro and making favourable comments about its virtues is not the same as being a 'fanboy'. I'ts nice for people working hard on them to find their work respected and appreciated. Other people reading favourable things about a particular version of linux (my term for trying to explain to the 'unenlightened' what a distro is) may benefit from trying it out.
I think the term/ accusation 'fanboy' is slung around too loosely. Even I got accused of being that on this very forum for merely pointing out a few months ago, shortly before the 2009.1 release of that quite popular distro, that a 2.6.22 kernel in 2007 is still fine if it supports all your hardware and serves your purpose and there's no need for the latest just for the sake of it.
Although it's pretty obvious from past postings I mostly run Debian and Slackware anyway.
Oh yeah, and what's with all this hate thingy? We're talking about comps and OS's here. Hate? Bit too strong a word. "We're gonna put your head on a spike and feed the rest to the pigs if you don't start using ***linux." Don't think so.
Keep your head up your ****
134 • 129 (by Barnabyh on 2009-09-26 22:51:08 GMT from United Kingdom)
There were plenty of comments re. Arch because we had a review of Arch linux on DWW which obviously invites comments on the topic.
It is quite different from spamming fora, newsgroups and the like with opinions, it was a discussion about the topic of the week. What else are people supposed to post about, the weather? Or perhaps RedHat/CentOS, fedora, 'cause you happen to like that.
135 • 129 (by Landor on 2009-09-26 23:39:13 GMT from Canada)
Here's a fine example.
The Arch dudes posting here are either literally as dense as a rock or zealots. I came to the conclusion of the latter. There's no way in hell that many people just shot through the comments section without reading and seeing that others commented about Chakra already. If anyone tells me that every single one of them did, well, then I'll come to the conclusion that they're Zealots and stupid. If they did read it and posted anyway they're stupid and Zealots.
Keep your stick on the ice...
136 • Back on Track (by Joe on 2009-09-27 00:25:20 GMT from United States)
Has anyone tried Absolute on a system with an ATI graphics card? I installed it on one of my laptops, but it just boots to a blank screen.
Trying Berry Linux. Booted from the live CD okay, but when I install it to the hard drive, I get a blank grub file (will work on that tonight).
Also trying G:Noblin. Installed to the hard drive okay. Tried to config Wifi, but the user I created during the install wasn't a member of the right group. When I tried to modify the user/group, I found that Users and Groups wouldn't work. Tried removing and reinstalling liboobs and system-config-users, but no improvement. I ended up manually editing the /etc/groups file. Anyone else tried it?
137 • @130 (by Nobody Important on 2009-09-27 04:37:56 GMT from United States)
Why do you persist on being so rude to everyone? Don't you expect the same right back? I gave up politeness with you weeks ago; I'm surprised Landor, or everyone else here, is as cordial as they are.
It's amazing how snotty some people are, these days, over what, some advice to run a few commands and secure their computer? Goodness, kids these days. You try to suggest that they keep their data and CPU under wraps, and they just bite right back. If they don't learn, well, what can you do?
It's your choice, Notorik, for running as root. We know. Thanks for telling us the obvious. Now what have you added to the conversation other than aimless ranting and raving?
I haven't tried Puppy yet, I'll add. I did try MoonOS a bit ago, which looked and ran fantastic (thanks to Enlightenment). Canonical should hire that artist that runs the distro
Speaking of Ubuntu pretty, I suggest people go take a look after at Softpedia's new pictures of the new Ubuntu them. It's certainly a step in the right direction; very clean, focuses, and simple - all of which are Gnome's strong points in art design. good to see someone's thinking.
I've got a few more distros to sample, and Puppy's pretty far down the line. Never moved me much; the package selection's bare, which bugs me, and both 4.1 and 4.2 alienated me for various reasons. If Barry's Woof projects work out, I may consider moving it up on the priority list. Maybe I'll throw it in a VM for a few minutes, but I can't say I'm the target demographic anyhow.
I've been meaning to give FreeBSD a spin; I'll probably wait until the final release of 8. Looks like a good release to me; some neat tricks are going in that Linux could learn from. And it seems like a fun challenge to boot.
138 • #137 (by Notorik on 2009-09-27 09:00:48 GMT from United States)
It is pretty obvious that I am the minority voice here and I have been attacked non-stop for simply expressing a point of view that just happens to be counter to the mainstream. I have tried to avoid personal attacks as well as cruel or offensive terminology. I have not received the same consideration in return. However, I am not easily offended so please don't feel bad for me. Take your post for example, you called me "rude", "snotty", and insinuated that I am a "kid". All because I have expressed a point of view that you find untenable. It is strange to me that you attempted to turned the tables on me by accusing me of being the one who is "rude".
On another subject I would like to know what the general consensus is about the website "Shields Up". You can get your os tested for security holes there I went there running Puppy(as root with the firewall activated) and passed all the tests with the following comment:
"All attempts to get any information from your computer have FAILED.(This is very uncommon for a Windows networking-based PC.)"
"But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND(that's very cool!) "
139 • Shields Up! (by Notorik on 2009-09-27 09:07:29 GMT from United States)
Here is the link to Shields Up!:
140 • #139 Shields up (by Glenn on 2009-09-27 13:11:55 GMT from Canada)
I've used it for years to test how porous my ports may be. I do not rely only on that tool but I find it useful as did you.
Its a neat tool to test your firewall.. Gibson has a lot of other nice tools also,
You should navigate thru his site a bit. It is really interesting.
I have avoided this whole topic here because I have too much to say about it. Like CM, I've been in the field a long time (40 yrs for me) and like her, I am very security conscious, esp regarding my business customers.
What is find most disturbing though is the phenomenal number of people who purchase wireless equipment and dont protect it from intrusion. (Read up on war driving). Businesses also are lax in this area.
I just had to go and pull out virus's and spyware from a small business near me. The business was assured by his ISP that for $x extra they did the security work up front so no worry.! Anybody with a wireless nearby could ride on his signal, his systems protection from other intrusions was a joke. I also had to go pull out a pile of Viruses and spyware from his systems.
Todays big worry on a personal level though is identity theft. It is far easier for the crooks to crack a home users identity than to crack a Banks system. Given a choice, what do you think they'll focus on more and more.
I always remember one thing. The moment you connect to the world via any transmission medium to broadcast and receive message traffic, you are in a fish bowl. Anybody can see, hear, what you do so you do have to take precautions where warrented. Being careful of what you transmit is a good start. Some protective devices such as software firewalls etc have also been suspected of phoning home and the security guard you are relying on works fine with the exception that the provider of it excepted themself. Talk about putting a starving dog to guard a meat factory. Another thing, your web browser is also used as a source of information.
Encrption is one of the best tools you can employ if you are really concerned. Not that it replaces using good shielding techniques such as AntiVirus or Firewalls, but to handle those intrusions that get past them.
For those who think CM is somewhat paranoid, she has a lot of arguments to back her up.
Sorry, I used your topic as a vehicle to launch a few opinions of my own.
For its purpose, Shields up is ok, you can also test your own ports vulnerability also. What you do permit to get through, say on port 80, is a different matter entirely.Then you have to choose what you will allow or not.
My opinions are always subject to change without prior notice. ha ha ha
Flames go here (---------------------------------------------------)
141 • #140 (by Notorik on 2009-09-27 13:46:32 GMT from United States)
Thanks for the response. Feel free to use my post to put forward whatever opinion you want. I would suggest however, that most things that you find "lurking" on a computer are a direct result of the spyware and virus ridden software the user has downloaded and installed from the internet. When I hear the great tales of rescuing virus laden networks I know that there was a lax security policy in place and the users were allowed too much latitude over what they put on their machines. It's like I have stated before, there is a difference between enterprise computing and home computing. As a network administrator you have an obligation to protect your company's network by putting in place stringent security policies and seeing that they are followed. As a home user, you should be reasonably sure that you are protected from unwanted intrusions by using a good firewall. If you choose to download and install software from the internet then you should scan it for viruses before you install it. Most of this applies to Windows users and is not really a problem with Linux(running a firewall is the exception). In a business setting you can't have all the users running as administrator. As a home user, running as root is perfectly acceptable as long as you understand and accept that you yourself may mess up your system if you don't know what you are doing. There is really no "security risk" as in outside attacker compromising your system.
I am fully aware of "war driving", "script kiddies", and most of the other threats mentioned here. I recently installed a wireless network for a client and found that he had used his street address and house number as his wireless identification. Needless to say, I changed it. I have never said that you shouldn't be prudent, I just object to paranoia mongering potato heads who come up with these endless and convoluted scenarios that could only occur if 9000 different conditions were met at the same time and you are standing on one foot with a bouquet of flowers in your mouth.
142 • Shields up (by Barnabyh on 2009-09-27 13:54:31 GMT from United Kingdom)
Gibson Research's website is great and has helped me a lot in the bad old Win98/Me days, with testing firewall and things like the 'DCOMbobulator' and getting to know about and turning off other unnecessary services. It was a treasure trove for learning about the subject.
However, I believe it's mostly geared towards Windows, not sure what the benefits are if you're running Linux or BSD, there may be other security issues the site is not testing for because it's not designed for that.. I seem to remember Gibson's field is researching Windows security, supposedly that's where the money is (and the necessity, more than anywhere else).
Anybody know more about this? Thanks.
143 • reviewing lightweight distributions (by jack on 2009-09-27 14:35:23 GMT from Canada)
Perhaps the reviewers of these distros could specify what apps are NOT included.
On a "full" distro one expects everything and the kitchen sink so even if an app is not mentioned it probably is included.
Given the problems that Linux seems to have with multimedia apps, these should be mentioned.
144 • Security vs the paranoid (by Bender on 2009-09-27 15:01:53 GMT from Belgium)
I am kind paranoid, and after many years of computing (and i started with a zilog processor with CP/M) came to the conclusion that, for me personally, the only way to deal with that is to use 2 operating systems.
My fun OS is windows XP. I use it for only for gaming and converting media(because i don't have to read ffmpeg manuals, just point and click) and skype (yeah i know, skype is pure spyware, checked it with filemon.exe or the strace STRACE command if you are using linux), but i have nothing to hide on this XP machine, it doesn't hold any financial data, browserhistory (no real personal anyway), email or other personal data. This safes me hours of configging wine, or hunt for why this game works in this wine release, and another doesn't. And it gives me the full experience of the game. ( and please don't come up with some example where game X runs far better in linux) If i mess up this OS , i'll just replace it by cleaning the mbr, and placing a fresh imagine back (this all takes 5 minutes).
My other operating system is Puppy linux from usb stick. Yes, the little daredevil I am, i'm running this as my main operating system. I even use it for online banking, doing al my spreadsheet stuff, email, writing letters, coding in C and C++ and emailing. I THINK this is perfectly safe. But I do run my internet related programs as restricted user "spot". And my browser is not allowed to run any scripts until i allow it to. I keep this puppy install clean and simple. Just because it is my main OS.
I think that running as root is safe for me. Because i know that running as user will allow an evil script to run in your userspace, collecting and sending data from your userspace. (and guess where you as a user have your private data...., exactly, in your userspace/home folder/and folders accessible by you as user .
I have to agree with notorik here. Most security problems happen when a user installs some spyware/virus by doing a dumb thing (clicking to easy, or allowing the wrong sites to run certain scripts) .
Reading the end of comment 12 made me laugh and sorry for the guy. apparently the FUD here is working
Don't let this paranoia take of your life (it will mostly last for a week or so, and then you install skype) and try to think logical.
As for Notorik: i suggest you ignore Landor. He always thinks he is right, and rejects any opinion that differs with his.
145 • Shields Up and stuff (by Joe on 2009-09-27 15:22:28 GMT from United States)
I stumbled across Shields Up when I was looking for a newer version of Steve Gibson's Spinrite app years ago. Useful tool when scanning for open ports.
As anyone who has read my posts knows, I'm an advocate for basic security -- not a security nut. That doesn't mean I'm not open to learning more. When I help someone set up a system, we talk about firewalls, secure passwords, etc. Basic stuff. If they have wireless, I help them configure it so they are less vulnerable to intruders. I would also do exactly what Notorik, @141, did to help his client.
Several years ago, I went on a service call to an executive's residence to troubleshoot a wireless connection issue. There were 7 wireless networks in the neighborhood, his included, all wide open, and all named "linksys". I configured my client's router properly, and his connection problems were resolved. Again, just basic stuff.
146 • #141 (by Glenn on 2009-09-27 15:24:26 GMT from Canada)
No argument from me on your post.
Your points are well taken, especially the self-inflicted wounds re downloads. The average HomeUser does not know a thing nor does (s)he care. To them it is power on and go. They are the most vulnurable ones. Perfect scenario for Bots. etc.
Scraping from Facebook, Myspace, Twitter, etc. is another form of security exposure that is definitely self-inflicted. Same thing but different implementation of presenting your personal, and or professional data to the world at large.
I would like to remain however on record as thinking that Home use of computer systems, (and other commication media such as IPODs etc.), controlled by Linux or other software, should be considered more seriously because of identity theft. I do agree with your concern re overkill. That is where we, the purported experts, should be able to provide reasonable guidance when asked. Unfortunately we are never asked. It is a matter of degree.
Because of my field of work, enterprise computing and personal computing do tend to blend at times. (I work primarily on large mainframes,, ZOS, etc. as a sysprog, system engineer). Dang.
I guess I should have been more clear but i tried to cram my thinking into too few sentences. This is a bit of a ramble also. Sorry about that.
I do not find too much problem with Linux and personally consider that it is more secure by the very nature of its design than other systems that I am familiar with. I could be corrected on that however.
GRC is primarily geared towards windows as the other poster mentioned but it is an easy test to see what ports are easily visible... I have my own sniffers to go much deeper if I feel the need to do so .
I like you, run puppy as root also at times, I have applied what I consider reasonable protection.
We on this comments area are aware of all this stuff cause we are interested enough to come on and talk about it... 97 percent of the user population does not.
We even care enough to scrap about it.... I like that .
147 • No subject (by forest on 2009-09-27 16:41:16 GMT from United Kingdom)
Remarks apropos FUD.
Three full stops, or periods, indicate a figure of speech known as "ellipsis", which you can google if you can be arsed, but, briefly, the rest of the sentence is omitted for brevity and, more importantly, is considered understood by all and does not need further mention, explanation or qualification.
I find the most "amusing" thing about the aspect of security is how blase folk are, with an almost childlike faith in GNULinux and an unshakable belief it's going to rain on someone else...rather like the blind man crossing the road/highway with absolute and utter confidence in his white cane...'til the myopic drunk decides to drive home.
148 • #147 (by Xtyn on 2009-09-27 19:18:32 GMT from Romania)
OK, that's enough.
Show me some proof that linux home users are actually getting hacked and that security on linux is a problem.
P.S. Run forest run.
149 • Heh (by Nobody Important on 2009-09-27 20:15:13 GMT from United States)
The grestest security risk by far is ignorance.
Some of my immediate family likes to do what the computer tells them. So when they download wallaper.jpg and then the program tells them to rename is as wallpaper.exe and run it, you know what you're dealing with.
Windows XP didn't do such a great job with the locked down user. It's kind of hard to keep that under wraps; a lot of common functions are locked off and you need to log out and back in to get to them.
Most Linux distros are far better at this. This is why I want to make them all run Ubuntu or some other Linux - I can make them learn this, unlike the first time! Is it a bit overstating when saying that anything that requires a password in Linux is a touchy operation? Well, yes. but it's closer to the truth than ";et's let everyone have my password willie nillie."
150 • Linux Hacking (by Glenn on 2009-09-27 20:26:15 GMT from Canada)
Google will bring up quite a few interesting ones. In fact apache.org got hacked around sept 2 it seems.
There is no system that cannot be hacked.
It is a matter of degree, affect on the target, purpose of hack, etc.
Security on Linux is NOT a problem. It is the degree of use use or lack of use of it that is the issue in my mind. In some case I do not care if i get hacked, others I do. I apply the appropriate security depending on the situations.
To each we can let them reassure their own feelings of security and how they will implement measures. I personally think that the average user is not aware of the exposure we have these days of corporate, government, etc voyeurism. Some is for curiosity and amusement, some is malicious. As always, it is up to the user to determine the risk. I consider that in general, people do not realize.
These arguments we're having are entertaining and informative.
Now I will go enjoy the new Nikon I just purchased.
Flames go here (---------------------------------------------). I'll roast coffee with them.
(Insert big smile here)
151 • 149 (by Glenn on 2009-09-27 20:27:31 GMT from Canada)
I like your post. Nicely put
152 • Security and Linux (by Joe on 2009-09-27 20:48:27 GMT from United States)
Just search the web. You'll find numerous instances where Linux boxes have been hacked. Although hackers typically target high profile servers, some of the same types of exploits could be targeted at home users. As the popularity of Linux increases, we may see that happen more frequently. There are a lot of teams at work behind the scenes keeping their eyes on the code, from the kernel, to Window systems like X11, to the applications themselves, tracking down possible exploits, responding to real world situations, and providing us with patches, when necessary, to keep our systems safe.
And, even if you have never been hacked, it's likely that someone is tracking what you do online, if for no other reason than to target advertising.
Sign up for a few of the security focused mailing lists and you'll see what types of exploits are found every day.
Most home users probably won't get hacked. And those that do often bring it on themselves as pointed out in @149.
Personally, as a home user, I'll use basic security precautions; if I use a home server, I'll use a little more security depending on the services that I'm running; and, if I'm working for a corporation, I'll do what I can to keep my company's data safe.
153 • No subject (by forest on 2009-09-27 22:17:46 GMT from United Kingdom)
Well, there you are Xytn, it seems you need only google and it shall appear, and I must say you might have thought of that yourself. LOL.
In all seriousness, Xytn, when I travel by air, I don't really expect there to be an incident given the statistics (and that's an entirely different topic), but I take out insurance.
When you see the businessmen in the City (of London) with rolled umbrellas even on a summer's day they don't really expect rain but they are covered (groan) just in case there should be summer shower.
It's all to do with being prudent...when I cross the road I look both ways...you see where I'm going on this? (more groans)
Now, CM is vastly more experienced than I am in Linuxland, and I even have a sneaking suspicion all this programming stuff really does mean something to her.
So when we hear of CM's experience of other folk's disasters, and, read of her caveats about being online, a prudent man (woman) takes the notion of security seriously.
You may heap scorn upon ridicule upon disbelief because that is your choice. I take the view that foresight is rather more useful than hindsight.
154 • The problem (by Nobody Important on 2009-09-27 22:32:48 GMT from United States)
Thank you, Glenn.
Do I worry on a regular basis about security? Not really. Linux' security is pretty dang good if you configure it properly and have a good password. I'm pretty picky about what I do with my data by nature; only a site or two get my (real) information anyway.
I think it's a good idea to keep safe because Linux IS under attack constantly, on the server front. The same exploits work on my laptop if they work on google.com, which scares me just a bit. The p[latofmr isn't nearly obscure as we think. So while I'm not constantly on alert, I'm also not running around asking to get hacked.
There's no need to go out of your way to be secure. Linux us pretty good at doing it for you, once you have the habits down (unlike Windows; Mac OS X isn't bad). It's easy for people to learn, as well.
155 • No subject (by No Clue on 2009-09-28 01:49:55 GMT from United States)
I hear the "choir" singing, fud, security, fud, security. Thank god its Sunday night and we can have something new(hopefully) tomorrow.
This security nonsense is just a waste of time. We do reasonable precaution and eat, drink and be merry.
This weeks weak comments are a wash. Bring on Monday.
156 • #153,154 (by Mr. Safety Pants on 2009-09-28 02:59:01 GMT from United States)
Be careful not to go outside, there might be a lion in the street waiting to eat you all up! Better safe than sorry!
157 • what I ask, what they answer (by Xtyn on 2009-09-28 06:21:50 GMT from Romania)
You people didn't read what I asked, did you?
Let me repeat:
Show me some proof that linux HOME USERS are actually getting hacked and that security on linux is a problem.
I ask this, you people come with servers, well, what can I expect?
Servers get hacked, that's for sure.
There is no 100% secure OS, whatever security precautions you take.
Does this mean we have to make a home computer as safe as a government server?
158 • No subject (by forest on 2009-09-28 08:42:11 GMT from United Kingdom)
Xtyn, you're not really getting this are you? You are now into the hair splitting region, LOL.
Neither you, or I nor anyone else has ANY idea what some people keep on their home computers and what they might be used for, have we?
It's pretty obvious the folk who pooh poohed the security thing are just embarrassed cos they have been blissfully ignorant all these years grinning like cheshire cats in their delusion they were safe from the attentions of some bad guy.
Now, following the revelation all is not safe in the garden after all we find the post rationalisation thing emerges in the usual and all too predictable scenario of face saving etc etc.
It's OK to be wrong now and again.
Number of Comments: 158
Display mode: DWW Only • Comments Only • Both DWW and Comments
|• Issue 836 (2019-10-14): Archman 2019.09, Haiku improves ARM support, Project Trident shifting base OS, Unix turns 50|
|• Issue 835 (2019-10-07): Isotop, Mazon OS and, KduxOS, examples of using the find command, Mint's System Reports becomes proactive, Solus updates its desktops|
|• Issue 834 (2019-09-30): FreedomBox "Buster", CentOS gains a rolling release, Librem 5 phones shipping, Redcore updates its package manager|
|• Issue 833 (2019-09-23): Redcore Linux 1908, why Linux distros are free, Ubuntu making list of 32-bit software to keep, Richard M Stallman steps down from FSF leadership|
|• Issue 832 (2019-09-16): BlackWeb 1.2, checking for Wayland session and applications, Fedora to use nftables in firewalld, OpenBSD disables DoH in Firefox|
|• Issue 831 (2019-09-09): Adélie Linux 1.0 beta, using ffmpeg, awk and renice, Mint and elementary improvements, PureOS and Manjaro updates|
|• Issue 930 (2019-09-02): deepin 15.11, working with AppArmor profiles, elementary OS gets new greeter, exFAT support coming to Linux kernel|
|• Issue 829 (2019-08-26): EndeavourOS 2019.07.15, Drauger OS 7.4.1, finding the licenses of kernel modules, NetBSD gets Wayland application, GhostBSD changes base repo|
|• Issue 828 (2019-08-19): AcademiX 2.2, concerns with non-free firmware, UBports working on Unity8, Fedora unveils new EPEL channel, FreeBSD phasing out GCC|
|• Issue 827 (2019-08-12): Q4OS, finding files on the disk, Ubuntu works on ZFS, Haiku improves performance, OSDisc shutting down|
|• Issue 826 (2019-08-05): Quick looks at Resilient, PrimeOS, and BlueLight, flagship distros for desktops,Manjaro introduces new package manager|
|• Issue 825 (2019-07-29): Endless OS 3.6, UBports 16.04, gNewSense maintainer stepping down, Fedora developrs discuss optimizations, Project Trident launches stable branch|
|• Issue 824 (2019-07-22): Hexagon OS 1.0, Mageia publishes updated media, Fedora unveils Fedora CoreOS, managing disk usage with quotas|
|• Issue 823 (2019-07-15): Debian 10, finding 32-bit packages on a 64-bit system, Will Cooke discusses Ubuntu's desktop, IBM finalizes purchase of Red Hat|
|• Issue 822 (2019-07-08): Mageia 7, running development branches of distros, Mint team considers Snap, UBports to address Google account access|
|• Issue 821 (2019-07-01): OpenMandriva 4.0, Ubuntu's plan for 32-bit packages, Fedora Workstation improvements, DragonFly BSD's smaller kernel memory|
|• Issue 820 (2019-06-24): Clear Linux and Guix System 1.0.1, running Android applications using Anbox, Zorin partners with Star Labs, Red Hat explains networking bug, Ubuntu considers no longer updating 32-bit packages|
|• Issue 819 (2019-06-17): OS108 and Venom, renaming multiple files, checking live USB integrity, working with Fedora's Modularity, Ubuntu replacing Chromium package with snap|
|• Issue 818 (2019-06-10): openSUSE 15.1, improving boot times, FreeBSD's status report, DragonFly BSD reduces install media size|
|• Issue 817 (2019-06-03): Manjaro 18.0.4, Ubuntu Security Podcast, new Linux laptops from Dell and System76, Entroware Apollo|
|• Issue 816 (2019-05-27): Red Hat Enterprise Linux 8.0, creating firewall rules, Antergos shuts down, Matthew Miller answers questions about Fedora|
|• Issue 815 (2019-05-20): Sabayon 19.03, Clear Linux's developer features, Red Hat explains MDS flaws, an overview of mobile distro options|
|• Issue 814 (2019-05-13): Fedora 30, distributions publish Firefox fixes, CentOS publishes roadmap to 8.0, Debian plans to use Wayland by default|
|• Issue 813 (2019-05-06): ROSA R11, MX seeks help with systemd-shim, FreeBSD tests unified package management, interview with Gael Duval|
|• Issue 812 (2019-04-29): Ubuntu MATE 19.04, setting up a SOCKS web proxy, Scientific Linux discontinued, Red Hat takes over Java LTS support|
|• Issue 811 (2019-04-22): Alpine 3.9.2, rsync examples, Ubuntu working on ZFS support, Debian elects new Project Leader, Obarun releases S6 tools|
|• Issue 810 (2019-04-15): SolydXK 201902, Bedrock Linux 0.7.2, Fedora phasing out Python 2, NetBSD gets virtual machine monitor|
|• Issue 809 (2019-04-08): PCLinuxOS 2019.02, installing Falkon and problems with portable packages, Mint offers daily build previews, Ubuntu speeds up Snap packages|
|• Issue 808 (2019-04-01): Solus 4.0, security benefits and drawbacks to using a live distro, Gentoo gets GNOME ports working without systemd, Redox OS update|
|• Issue 807 (2019-03-25): Pardus 17.5, finding out which user changed a file, new Budgie features, a tool for browsing FreeBSD's sysctl values|
|• Issue 806 (2019-03-18): Kubuntu vs KDE neon, Nitrux's znx, notes on Debian's election, SUSE becomes an independent entity|
|• Issue 805 (2019-03-11): EasyOS 1.0, managing background services, Devuan team debates machine ID file, Ubuntu Studio works to remain an Ubuntu Community Edition|
|• Issue 804 (2019-03-04): Condres OS 19.02, securely erasing hard drives, new UBports devices coming in 2019, Devuan to host first conference|
|• Issue 803 (2019-02-25): Septor 2019, preventing windows from stealing focus, NetBSD and Nitrux experiment with virtual machines, pfSense upgrading to FreeBSD 12 base|
|• Issue 802 (2019-02-18): Slontoo 18.07.1, NetBSD tests newer compiler, Fedora packaging Deepin desktop, changes in Ubuntu Studio|
|• Issue 801 (2019-02-11): Project Trident 18.12, the meaning of status symbols in top, FreeBSD Foundation lists ongoing projects, Plasma Mobile team answers questions|
|• Issue 800 (2019-02-04): FreeNAS 11.2, using Ubuntu Studio software as an add-on, Nitrux developing znx, matching operating systems to file systems|
|• Issue 799 (2019-01-28): KaOS 2018.12, Linux Basics For Hackers, Debian 10 enters freeze, Ubuntu publishes new version for IoT devices|
|• Issue 798 (2019-01-21): Sculpt OS 18.09, picking a location for swap space, Solus team plans ahead, Fedora trying to get a better user count|
|• Issue 797 (2019-01-14): Reborn OS 2018.11.28, TinyPaw-Linux 1.3, dealing with processes which make the desktop unresponsive, Debian testing Secure Boot support|
|• Issue 796 (2019-01-07): FreeBSD 12.0, Peppermint releases ISO update, picking the best distro of 2018, roundtable interview with Debian, Fedora and elementary developers|
|• Issue 795 (2018-12-24): Running a Pinebook, interview with Bedrock founder, Alpine being ported to RISC-V, Librem 5 dev-kits shipped|
|• Issue 794 (2018-12-17): Void 20181111, avoiding software bloat, improvements to HAMMER2, getting application overview in GNOME Shell|
|• Issue 793 (2018-12-10): openSUSE Tumbleweed, finding non-free packages, Debian migrates to usrmerge, Hyperbola gets FSF approval|
|• Issue 792 (2018-1203): GhostBSD 18.10, when to use swap space, DragonFly BSD's wireless support, Fedora planning to pause development schedule|
|• Issue 791 (2018-11-26): Haiku R1 Beta1, default passwords on live media, Slax and Kodachi update their media, dual booting DragonFly BSD on EFI|
|• Issue 790 (2018-11-19): NetBSD 8.0, Bash tips and short-cuts, Fedora's networking benchmarked with FreeBSD, Ubuntu 18.04 to get ten years of support|
|• Issue 789 (2018-11-12): Fedora 29 Workstation and Silverblue, Haiku recovering from server outage, Fedora turns 15, Debian publishes updated media|
|• Issue 788 (2018-11-05): Clu Linux Live 6.0, examining RAM consumpion, finding support for older CPUs, more Steam support for running Windows games on Linux, update from Solus team|
|• Issue 787 (2018-10-29): Lubuntu 18.10, limiting application access to specific users, Haiku hardware compatibility list, IBM purchasing Red Hat|
|• Issue 786 (2018-10-22): elementary OS 5.0, why init keeps running, DragonFly BSD enables virtual machine memory resizing, KDE neon plans to drop older base|
|• Issue 785 (2018-10-15): Reborn OS 2018.09, Nitrux 1.0.15, swapping hard drives between computers, feren OS tries KDE spin, power savings coming to Linux|
|• Issue 784 (2018-10-08): Hamara 2.1, improving manual pages, UBports gets VoIP app, Fedora testing power saving feature|
|• Full list of all issues|
Star Labs - Laptops built for Linux.
View our range including the Star Lite, Star LabTop and more. Available with a choice of Ubuntu, Linux Mint or Zorin OS pre-installed with many more distributions supported. Visit Star Labs for information, to buy and get support.
|Random Distribution |
Funtoo Linux is a Gentoo-based distribution developed by Daniel Robbins (the founder and former project leader of Gentoo Linux) and a core team of developers, built around a basic vision of improving the core technologies in Gentoo Linux. Funtoo Linux features native UTF-8 support enabled by default, a git-based, distributed Portage tree and Funtoo overlay, an enhanced Portage with more compact mini-manifest tree, automated imports of new Gentoo changes every 12 hours, GPT/GUID boot support and streamlined boot configuration, enhanced network configuration, up-to-date stable and current Funtoo stages - all built using Funtoo's Metro build tool.