 DistroWatch Weekly |
| Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip.
(Tips this week: 5, value: US$25.29) |
|
|
|
 bc1qtede6f7adcce4kjpgx0e5j68wwgtdxrek2qvc4  86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le |
|
| Linux Foundation Training |
|
| Reader Comments • Jump to last comment |
1 • jails (by nolinuxguru on 2016-12-19 10:24:51 GMT from United Kingdom)
I have been using Firejail for a while to isolate Firefox, Icedove [email]. I use the supplied profiles for these applications, but customise them to further restrict the ways programs such as Firefox can propagate any malware. I like the way that I can compile the Firejail program from source [it does not have the usual rats-nest of dependencies, and is small enough that even I can understand how it works].
2 • Bodhi Linux (by aguador on 2016-12-19 10:52:30 GMT from Spain)
Enlightenment is my DE of choice, but I have never quite managed to relate to Bodhi, in part because of its Ubuntu base, but more because of Midori and the AppCenter. Midori, while light on resources, in my experience has always seemed slow as well as limited. Firefox is an option, but (at least in the past) does not come enabled to use the AppCenter. So, one reverts to Synaptics, a great option for most, but more complicated for newbies who might be better served by a more traditional software center approach.
Jeff has made good contributions to Enlightenment, including ePad which has to be the absolute lightest notepad application around given its use of EFL and arguably better than Ecrire in some ways. I understand that E is undergoing constant development -- and improvement, so forking it due to momentary frustrations was a shame. Still, Bodhi seems to have found a niche and I wish the project well.
3 • Brisk Mate Menu (by aguador on 2016-12-19 11:01:23 GMT from Spain)
Mate was my first DE and I am amazed at the progress it has made. A recent test drive of a live version of Ubuntu Mate was a surprisingly pleasant experience with good configuration options. The thing that sets it apart from Linux Mint are the application menu and interface options. Mint Menu is good conceptually, but a bit wanting aesthetically. A faster, more aesthetic (Budgie- or Cinnamon-like) menu will, is sure to welcomed by regular users.
4 • Brisk Mate Menu (by sydneyj on 2016-12-19 11:56:38 GMT from United States)
I very much agree with @3 aguador regarding Brisk menu for Mate. I use Arch/Mate now, with the MintMenu. The menu is quite good, but a bit buggy (a couple of irretrievably broken links), presumably due to GTK2/3 issues. I would be happy to see the Cinnamon menu ported to Mate, since it doesn't require an extra click to get to Favorites, and the menu can grow in size as items are added. A hybrid Cinnamon/Budgie menu might be just the ticket, as well.
5 • Mate Menu (by Pikolo on 2016-12-19 12:19:00 GMT from United Kingdom)
Rewriting a menu in C sounds like a very anti-trend move to me. Isn't Gnome moving from C to Rust? Isn't C famous for buffer overflows? I've seen dozens of articles on "why we should limit the use of C" just this moonth. A truly bizarre development.
I'm surprised there are so many Qubes users on DW. I Joanna Rutkowska has shown a graph, on which there are <7k users, and already 16 of them voted. Though their % will probably drop over time. All in all, 60% of Linux users using process isolation is impressive.
6 • <3 bodhi (by meanpt on 2016-12-19 12:42:25 GMT from Portugal)
... been with bodhi since ... rats, I'm getting older. Since then I only miss one thing: the the original ram's 76 MB landing DE which I proudly showed off to the the wd$sy friends.
7 • New menu in C (by Jesse on 2016-12-19 13:01:38 GMT from Canada)
@5: >> "Rewriting a menu in C sounds like a very anti-trend move to me. Isn't Gnome moving from C to Rust? Isn't C famous for buffer overflows? I've seen dozens of articles on "why we should limit the use of C" just this moonth. A truly bizarre development."
In this case it makes a lot of sense. C is still one of the main languages to use when performance is a primary focus. And, in this case, the risk of buffer overflows or similar memory corruption errors are not really a concern. Remember, the application menu is run as the user who is logged in and sitting physically at the computer. If the user manages to somehow exploit a flaw in the code, all they end up with is the ability to run code at the computer where they are already sitting, running whatever code they want. In this instance, C gives a boost in performance with no practical downside.
8 • @ Joshua (by geert on 2016-12-19 13:06:56 GMT from Netherlands)
>For users with older computers, some of the modern Linux distributions can be too resource intensive. Bodhi Linux 4.0.0 is a lightweight distribution designed for those users. The minimum system requirements are a 500MHz processor, 128MB of RAM, and 4GB of disk space. The recommended requirements are a 1.0GHz processor, 512MB of RAM, and 10GB of disk space.<
Of course, if only you just boot the computer and don't do anything. All processes have to work in RAM, and more you have apps open, you need more RAM. And, remember 32 bit is "legacy" now.
9 • Bodhi Clock (by Thomas on 2016-12-19 13:20:50 GMT from France)
The clock widget in Bodhi mimics clocks made with Nixie Tubes or similar technology.
10 • Re: #2 / Midori (by Jeff Hoogland on 2016-12-19 13:34:03 GMT from United States)
Always amusing that we ship as few applications as possible and yet people still find a reason to dislike them. We know midori is feature light. It is also only 5~ MB to install so it isn't wasting much space like Firefox or Chrome would (because there are plenty of people who hate each of those). We expect and often encourage people to install their full browser of choice.
For reference the latest version of Bodhi as a dedicated "app center" menu launcher that opens a midori browser to just the appcenter URL. Pretty easy for a novice end user to always use that to grab software even if they use something else as a primary web browser.
Also - APTURL (the protocol the AppCenter uses to make the browser call the package manager) works with Chrome and Firefox if you configure them properly.
11 • Greetings (by Thom on 2016-12-19 13:55:41 GMT from Sweden)
A thank you to the team behind DW for another year of dedication and philanthropy.
Best wishes for the season and the new year.
12 • Bodhi (by jaws222 on 2016-12-19 15:17:44 GMT from United States)
I've always appreciated the fact that Bodhi was extremely lightweight. As far as the browser I usually go to the app center and install Chromium cause I like it and usually install whatever else I want or think I may need. I've never understood why people complain either Jeff.
13 • Firejail (by a on 2016-12-19 15:56:28 GMT from France)
I tried using firejail but it makes programs crash/exit without any message as to what the problem is.
14 • Firejail (by Jesse on 2016-12-19 16:08:08 GMT from Canada)
@13: If your application is crashing, it is probably because no one has created a Firejail profile for it yet. I ran into this with the Qupzilla browser and submitted a new profile for it to the project for future releases. You can request new application profiels here: https://github.com/netblue30/firejail/issues/825
15 • service isolation with systemd (by Scott Dowdle on 2016-12-19 17:18:03 GMT from United States)
Just wanted to mention that systemd has a number of security related features so you may separate services with isolated filesystems, /tmp, network name spaces, etc.
16 • Bodhi (by Gibson on 2016-12-19 17:35:32 GMT from United States)
I really appreciate that Bodhi offers install images without preinstalled software. Whenever I install a new distro the first thing I normally do is purge a bunch of default applications that I won't use and install my own choices. Bodhi's super lightweight text editor and web browser (which also serves as a software center) are just enough to get going without getting in the way of my own choices.
I actually really like their choice to use the web browser as a basic software center. It keeps with the pattern of minimalism and simplicity. I played with Bodhi for a while shortly after being introduced to Linux and as a total amateur I never had a problem with their approach to software installation. In fact their minimal selection of apps made it easier to find what I was looking for. Now that I've been around for a while the midori interface might not meet my needs, but at this point I just use apt-get.
17 • firejail crashes (by nolinuxguru on 2016-12-19 17:57:20 GMT from United Kingdom)
@13 If you haven't reported this elsewhere, it would help if you said which programs crashed [bit quiet this week].
18 • OpinionPoll-Process isolation (by CucumberLinux on 2016-12-19 18:07:39 GMT from Germany)
Nothing to technical, just my uneducated observation, if I may. Thank you.
I somewhat did write this in a hurry, but you will understand what I point out;
ISOLATING AND QUBES OS DATING
Currently I am not using any software in order
to isolate processes from the rest of the operating system from my GNU-Linux or LinuxDistributions, call it what you want. Generally we feel what I am talking about. Because this process is somehow new to me. However I have tried like 1 Year ago to install on quad core 16 Gb Ram PC (Boot Mode -Legacy), the QubesOS Distribution, with zero success. The Anaconda installer from Fedora, was a pain do work with ( freezing itself or just not detecting hardware). Ever sins I never bothered with it. But I find
the QubesOS as an very interesting Project in itself. Perhaps not that interesting for people with low specs Hardware.
FRESH INSTALL OF DISTRIBUTION
If something happens I have no problem with fresh installs. (Backing up the Data is priority all the time) At the same time I am refreshing my knowledge, by doing fresh Installs of the Distribution.
This way I do not forget, the basics, because I am not that
clever. Speaking here just for my tiny private needs.
FIREJAIL AND VIRTUALBOX AND MY DATING WITH LINUX
Firejail is something I am going to look at, when I get more time and my butt stops hurting from to much sitting in front of the PC, solving GNU-Linux like Sumerian stone Tablets puzzles, like why this stopped working.?. Because our Linux still is a pain to work with, when done some regular updates and they mess up previously made configurations! Or you want to install for Libreoffice the hunspell, but by doing so it removes the Thunderbird.. How can you not fell like the need to throw something against the Wall, when you see this happen over and over again?
And yea after, my Eyes recover from the LED monitor constantly bombarding my pretty eyes and my Pineal gland with its fantastic bright energy saving light..(Wait I need to grasp for Air)
Now, back to the subject;
Wish this Frejail would be already installed on the ISO. And after installation of the Distro to be asked,
if I feel like to configure the Firejail, or maybe just maybe later.
Now about Virtual boxing everything up;
Virtualbox is the easiest, but at the same time I use it only for testing never leave it on for long time, due to the fact that it is like having 2 Distributions pounding at the same time on 1 hardware. PC in my opinion is more vulnerable on top of it if access to the Net is given using same IP and Internet for
2 or more Distributions on one Hardware running long time..
BODHY LINUX
I am not using Bodhi Linux 4.0.0, but I have enjoyed the insight look in it from DistroW.
Thank you for the detailed and precise as always tutorial of B.Linux.
Apologies for my Grammar and Greetings to you all Linux users.
19 • Enlightened Bodhi (by Kragle von Schnitzelbank on 2016-12-19 23:41:58 GMT from United States)
I commend Mr. Hoogland for the virtuosity in forking a DE constantly being re-invented with apparent disregard for those who would build on it. This illustrates just one of the many great strengths in Freed software.
.
I vaguely remember an Enlightenment GUI for parted that I perceived as better than the popular GTK GUI, but can't easily find it any more. ¿case in point?
20 • security overly locked down (by security sense on 2016-12-20 01:16:44 GMT from Netherlands)
Over time, security distros tend to become increasingly locked down internally and harder to use, like Qubes and Tails have become. i believe this is due to poor thought-out design, and just piling security feature upon security feature. after all, if the user can't easily use the OS what's the point? instead, it's quick nowadays to install linuxen to USB drives. so best form of isolation is to install linux on one USB, secure it from leaks and intrusions, and use it for work and don't connect it to any network. then make another linux USB and use that for network stuff. job done - and without any user restrictions.
@18 "I am refreshing my knowledge, by doing fresh Installs of the Distribution. This way I do not forget, the basics, because I am not that clever."
fresh installs are good security too. who said u were dum? people are intelligent in different ways. celebrate your brain - you've only got one!
21 • @20 security lockdown (by nolinuxguru on 2016-12-20 09:15:55 GMT from United Kingdom)
@20 most usb drives are writable, so your proposed solution does not seem to provide any added security. The greatest attack method these days is through the web browser and sites that carry malware: something like Firejail can reduce any damage to the files left writable [config, bookmarks etc].
There is much that can be done to secure your computer without the recourse to the likes of Qubes: good iptables firewall script [or just use ufw], tcpdump to see what gets through the firewall and Firejail to isolate web browsers etc. No actual programming is needed, but care is needed to pick out the bits of tcpdump output that should cause concern.
Someone who can package these simple methods for everyday users would do us all a big favour.
22 • Cappsule (by Al CiD on 2016-12-20 10:03:17 GMT from Portugal)
Perhaps the reason why it didn´t work as espected in VirtualBox
"Cappsule uses hardware virtualization to launch applications into lightweight VMs..."
23 • Stuff (by Andy Mender on 2016-12-20 11:34:19 GMT from Austria)
@7,
That's not really how it works. It doesn't matter if a script is run by the user only as long as system libraries are involved (for instance, gtk for the GUI). Any overflow can potentially lead to privilege escalation. C as a programming language is not specifically prone to overflows, but rather it requires extra care to avoid them. The more complex and intertwined the software is, the more difficult it is to avoid said overflows. Rust attempts to address this via more stringent code testing during compile time, though it will take time before it's considered reliable enough to be commonly used instead of C.
@10,
Jeff, what about the webkit-gtk engine? Surely it's not a mere ~5 mb. I personally love projects like surf, midori or qupzilla, but in my hands both qupzilla and midori segfault way too often. In addition, on non-Ubuntu distributions Midori would often fail to play Youtube videos via HTML5. I use Firefox simply because it's tried and tested, though it's a different weight class altogether, I agree.
24 • C and Cappsule (by Jesse on 2016-12-20 13:46:59 GMT from Canada)
@23: >> " It doesn't matter if a script is run by the user only as long as system libraries are involved (for instance, gtk for the GUI). Any overflow can potentially lead to privilege escalation.
For a privlege escalation to happen, the code would need to either be run as another user or exploit a bug in another part of the system. (Attacking GTK doesn't help the attacker since its code will run as the same user as the menu, not as root.) Having a buffer overflow in the application menu wouldn't result in a problem in itself. If there is a flaw in a library or system call the application menu uses, then the user (who has physical access to the system, remember) can run any code they like to exploit that component. Exploiting the application menu makes no sense in this scenario since the user can link any code they want to the libraries on the system.
Your argument is basically that the user could exploit a potential flaw in the application menu to try to get at another component on the system, when the user running the application menu (and any un-isolated program they run) can already access that other component of the system directly without exploiting the menu. Attacking the menu just adds an extra, unrequired step to the process.
@22: >> "Perhaps the reason why it didn´t work as espected in VirtualBox..."
The Cappsule project provides VirtualBox appliances for people to run and test their software. Any computer with hardware virtualization capacity should have no problem meeting the requirements. My computers all have hardwre virtualization so that's not the issue.
25 • RE: 24 (by Andy Mender on 2016-12-20 15:06:10 GMT from Austria)
@24,
Jesse, thank you for the clarification. It makes more sense to me now. I think my assumption was too far reaching.
26 • Opinion poll > Selection Principals (by Yuri on 2016-12-21 16:00:44 GMT from Russian Federation)
Hi, Jesse.
Why you do not include (widely used) technology like SELinux and AppArmore in your list?
27 • Opinion Poll (by Jesse on 2016-12-21 16:05:52 GMT from Canada)
@26: Because SELinux and AppArmor are not designed to isolate processes so much as use permissions to block them from doing bad things. They're different use cases.
28 • Opinion Poll - Process Isolation (by M0E-lnx on 2016-12-21 21:39:14 GMT from United States)
Docker is a great option for services, and with a few tricks even apps in general. I'm not sure if that was included in the 'Linux containers' option, but it would have been nice to see that option listed.
29 • Follow-up to @15 - systemd security features (by Scott Dowdle on 2016-12-21 22:46:35 GMT from United States)
LWN published a premium article today on security features in systemd. It will become freely available to non-subscribers Thursday, Dec 29. Here is the URL that will work for LWN subscribers and everyone else once freely available:
Using systemd for more secure services in Fedora
https://lwn.net/Articles/709755/
Intro paragraph: "The AF_PACKET local privilege escalation (also known as CVE-2016-8655) has been fixed by most distributions at this point; stable kernels addressing the problem were released on December 10. But, as a discussion on the fedora-devel mailing list shows, systemd now provides options that could help mitigate CVE-2016-8655 and, more importantly, other vulnerabilities that remain undiscovered or have yet to be introduced. The genesis for the discussion was a blog post from Lennart Poettering about the RestrictAddressFamilies directive, but recent systemd versions have other sandboxing features that could be used to head off the next vulnerability. "
30 • Bodhi (by slick on 2016-12-22 01:06:40 GMT from United States)
For one have always liked and appreciated Bodhi and especially the e17 Enlightenment experience. Would hope Jeff would consider it being a Debian only distribution.
Don't have Bodhi on my machine because only it's an Ubuntu distribution and to me is just not something desirable. However it is easy enough to install e17 and configure an nice e17 on Devuan without all the bloat.
Have notice that many distributions have drop there connection with Ubuntu and they have experienced a jump in popularity. Those that went back to Ubuntu like WattOs experienced a drop and myself one of them.
Appreciate greatly a small but fast distribution without systemd, Devuan on my desktop runs about 185mb of memory on login, how many distributions can do that?
Star is my distribution of choice and be found on Sourceforge, complimented with many Window manager choices and Xfce DE for a wide choice of flavours!
A few applications to have the distro functional and completely non-bloated, very nice!
31 • MX Linux 16 (by PhantomTramp on 2016-12-22 15:29:07 GMT from United States)
Anti and crew seem to always bless us with a holiday season gift. This one looks very cool. Downloading now...
The Tramp
32 • Bodhi (by More Gee on 2016-12-22 17:40:45 GMT from United States)
It has been awhile since I used Bodhi and really liked the wooden desktop environment without the tube clock. It did not have the radio button issues but I do remember them being a problem on the default. I also remember using Opera instead of Midori and it was a much more enjoyable internet experience and the mini version at that time would still keep ram usage under 128mb. I was thinking of making a VM of this for my 2gb RAM machines.
33 • Bodhi (by Simon Wainscott-Plaistowe on 2016-12-23 02:05:47 GMT from New Zealand)
The new Bodhi release looks impressive. In the past I've found Bodhi's enlightenment desktop a bit non-intuitive so I've been using Peppermint to refurbish old computers. Now I think it's time to give the Moksha desktop a try.
34 • Ultimate security (by Dave Postles on 2016-12-23 09:09:12 GMT from United Kingdom)
Tongue in cheek for Christmas: no HD, just run from DVD - slow but sure.
35 • Process isolation & Bodhi (by Greg Zeng on 2016-12-25 05:44:23 GMT from Australia)
Missing isolating types include the Linux container being on a USB-flash-stick, removable drive, or unique partition. My "unique" partition can be started by any of three partition-handlers (Grub-customizer, BIOS & UEFI).
Listing the DW isolation stuff in popularity order:
1. None: 510 (42%)
2. Virtual machine: 385 (31%)
3. Firejail: 136 (11%)
4. FreeBSD jail: 66 (5%)
5. Linux container: 60 (5%)
6. Other: 32 (3%)
7. Qubes OS: 34 (3%)
8. Other: 32 (3%)
9. Cappsule: 5 (0%)
The 5th & 8th favored option is interesting. Bodhi on a very small computer (Raspberry Pi?) as a Linux Container, or Virtualized machine between the main system and the rest of the network?
"Bodhi Linux 4.0.0 is based on Ubuntu 16.04 LTS, so there were no real surprises when it came to installing." is the first sentence of the independent reviwer in this issue of DW. This Ubuntu installation process also applies to the other 58 Ubuntu-based distributions http://distrowatch.com/search.php?basedon=Ubuntu
All of these can easily have their Linux kernels upgraded & downgraded to any already-compiled Linux kernel of any date, of any degree of readiness (alpha, beta, etc). http://kernel.ubuntu.com/~kernel-ppa/mainline/
Besides Bodhi, there are other micro-Linux's also based on Ubuntu: Web OS and Peppermint. All three can be extremely easily upsized into fully fledged Desktops, with all the needed applications, utilities, ear-candy and eye-candy.
It would be very interesting to compare the micro-Linux's with each other. They all show the inadequacies of the other Ubuntu-based distributions: crazy mixes of ethnic languages braille and usually, games. All show the poor selection of "gkrel" and none have DDCOPY (only PCLOS has these two properly available). Mint, another Ubuntu-derivative, persists with their poor flash-stick format & writing programs. All of these, including PCLOS, do not use Synaptic Package Manager at all well.
36 • Process isolation and other pets (by OpenBSD n00b on 2016-12-25 15:09:15 GMT from Brazil)
Firejail, Cappsule, or any other "sandboxing" tool, may be interesting to implement the concept of "security by isolation". But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD (which emphasizes correctness, proactive security, integrated cryptography, and standardization :).
So I have a recipe for building the perfect OS to surf the Tor network with the ultimate anonymity:
1. Take the latest snapshot of OpenBSD (better yet, the always uptodate FuguIta respin, which has a decent and also lightning fast graphical interface).
2. Configure the native firewall to run immediately after boot-up and make the host system as sthealthed as possible.
3. Install the VirtualBox package, then set it up to run Whonix Linux (both the two VM images: Gateway and Workstation).
4. Release the final result as an installable OpenBSD/FuguIta LiveDVD.
You can now call it "the Tails killer".
37 • "Sceure OS" (by M.Z. on 2016-12-25 18:43:35 GMT from United States)
@36
"...But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD"
That seems to me to be more than a little disingenuous. In fact the only thing that convinced me you even halfway knew what you were talking about was that you hedged your bets by using the term '_Almost_ invulnerable...' to describe your OS of choice. Now I'm by no means an expert, but I do think about & research these things to some extent & I'd venture to guess that OpenBSD is likely among the most secure OSs around; however, there is no such thing as a secure OS let alone an invulnerable one. There have been deeply insecure OSs like versions ow Windows that basically ran everything as 'Administrator'/root through the 1990s, but that hasn't been an issue on Unix like systems such Linux and the BSDs for much if any of they time they have been around because of rules set up a long time ago on Unix.
At any rate most Unix like systems are reasonably secure by default when properly administered by folks that don't trust so called Nigerian princes, install random stuff from parts unknown, or forget to run updates. That being said no system is truly secure and there is always some funny vid that must be downloaded & viewed with special software that some are naive enough to believe is a real thing rather than malware. Of course there are also some people type in root passwords at the drop of a hat or simply make mistakes about communicating what is legitimate and what is not to be trusted. I think that last thing happened in a rather famous hacking incident just in the past few months, someone neither put big bold text saying 'DO NOT TRUST', nor put the the letters 'il' in front of illegitimate & there was massive fallout political & otherwise.
I firmly believe that security is all relative & it depends both on secure system design, as well as secure user habits & best practices. The truth is that all links in that chain are vulnerable to some extent even in places that use OSs as secure as OpenBSD. If there were a big enough target it would likely be hacked eventually regardless of which OS it used because everyone from the coders to the end users makes some mistakes. Personally I run Linux systems behind a pfSense/BSD firewall computer & I run some kind of security tool on every systems be it firejaill, MSEC, SELinux, or snort. Given all the problems I've had using BSD on my hardware I don't have the patience to try & get it working, but I'd still say I'm relatively secure for a self taught non expert. I'm sure I'm doing some things wrong, but it's all relative & I'm very solid for a tiny home network, and that due in part to all the different tools that I run.
38 • OpenBSD and isolation (by Ben on 2016-12-25 22:52:33 GMT from Canada)
@36: >> "Firejail, Cappsule, or any other "sandboxing" tool, may be interesting to implement the concept of "security by isolation". But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD (which emphasizes correctness, proactive security, integrated cryptography, and standardization"
Assuming you were not joking, I see a pretty big flaw in that reasoning. OpenBSD only pracitses active security, code audits and correctness on the base OS, not OpenBSD's ports/packages. Running Firefox (for example) on OpenBSD is not any more secure, really, than running Firefox on Debian. It's not any harder to compromise your web browser on OpenBSD than it is on, say, Fedora. The same applies to almost every desktop application or service you plan on running on OpenBSD that is not in the default installation.
So the key question then becomes; What happens after your attacker takes over your web browser? If it's sandboxed with Firejail or SELinux, then the attacker is pretty much stuck. They can read a bunch of files, but they should otherwise be unable to harm your OS or user's files. Without isolation (as on OpenBSD) then the attacker, having taken over your browser, has access to do whatever they like on your account. At that point, having a secure base OS does not do you a lot of good because the attacker has (unrestricted) access to run their code under your account.
I greatly respect the work OpenBSD devs do on their operating system and I'd like to see more Linux distros do the same. But the security of correctness OpenBSD offers doesn't help you much if the software that is being attacked is installed from their ports collection
39 • @34 • Ultimate security (by Marco on 2016-12-27 16:10:04 GMT from United States)
@34 Ultimate security: no HD, just run from DVD - slow but sure.
I know you were joking, but my father used to attract all sorts of malware on his Windows computer. I never converted him to Linux, but I did persuade him to only do his on-line banking off a live Linux DVD image.
40 • OpenBSD/Linux security (by Jordan on 2016-12-27 16:10:44 GMT from United States)
Has anyone posting here ever had their computer taken over and had code run via the browser, etc?
I've seen various virus and malware in the news, but never have I seen or heard of a non-Windows computer being hijacked, with the notable exception of for testing purposes by the owner or commissioned tester of the machine.
But I've only been with Linux since 1996.
41 • System security (by Jesse on 2016-12-27 16:47:04 GMT from Canada)
>> "Has anyone posting here ever had their computer taken over and had code run via the browser, etc? "
@40: While I have not had my machine compromised this way, I have been called in to clean up a few. Generally, I am interested in fixing things rather than figuring out exactly went wrong, but I suspect the Linux boxes I have cleaned up were originally compromised through network services like OpenSSH.
If you're interested strictly in browser compromises, you might want to check out the pwn to own competition as the systems tested are often taken down using browser exploits: https://en.wikipedia.org/wiki/Pwn2Own
>> "I've seen various virus and malware in the news, but never have I seen or heard of a non-Windows computer being hijacked"
Do you mean by people you know personally? There are often reports of macOS or Linux exploits being used in the wild. Particuarly against Linux servers.
42 • Linux hacking (by speaking from experience on 2016-12-27 23:59:14 GMT from United States)
@40 "Has anyone ever had their computer taken over"
Against Windows hackers can use malware that ppl download from the web. But against other OSs where malware is not so prevalent - like Linux - hackers can exploit wireless hardware and software insecurities to capture your login password. One key insecurity is that your wireless is always "on" unless both hardware and software switches are turned off. Attacks can include wireless sniffing, MAC address scanning, port scanning, fake ap's, etc. If they can't get at your computer directly, they can always hack nearby devices - like routers, mobile phones, CCTV cameras, etc - and then target your computer from them. When they get your login password they can then hack your wifi or bluetooth, login, and copy whatever data they want.
Ironically, Linux security distros - like Qubes and TAILS - focus on malware protection mainly coming from the Internet, because they want to promote their OS's as Windows alternatives. But malware is old school, and wireless sniffing and hacking - usually before you even connect to the Internet - is new school (just look at all the wireless exploit tools available). So don't expect any Linux security distro to protect you against persistent hackers.
43 • Attacks on Unix (by M.Z. on 2016-12-28 00:44:17 GMT from United States)
@40
In addition to server systems being commonly targeted (mostly through unpatched software), there have been many attacks on another Unix like desktop system, namely Mac OS X. If you know a bit about the Unix family tree you may know that modern Mac systems are basically a modified version of BSD. I don't think the infections have reached the same proportions on Mac as they have on Windows, but there have been compromises that have affected many thousands of machines. This sort of thing if far more rare on Linux and BSD proper, but I've heard of Linux machines being hit, so it can happen. That's why I think tools like firejail and SSELinux are so valuable, they provide different ways to defend against and limit the damage of a serious compromise and create multiple potential barriers to attack. Of course that's just what I recall from reading up on that sort of thing on occasion, I've gotten an occasional paranoid feeling but never seen any real damage or serious problems since I've been using Linux.
44 • @40 Has a web browser ever hijacked my computer and run code (by imnotrich on 2016-12-28 06:50:08 GMT from Mexico)
Yes, sort of.
Google Chrome, and more recently Firefox offer a browser sync feature that syncs history, bookmarks, home page and other stuff across multiple computers.
With Chrome if you have a gmail account sync is forced on you. With FF you have to opt in.
Anyway, not so long ago running Chrome on my W7 laptop a website was able to change my home page to a windows .exe file, but that fact was hidden from me in the address field I still saw www.google.com.
A day or two later I booted up the Linux partition of my W10/Linux desktop and noticed Chrome trying to connect to a Windows .exe file as my home page. Thanks to this helpful "sync" feature I was able to intercept the attack before it did any damage, but it won't be long before evil bad people figure out how to successfully exploit this sync feature from one platform to another.
45 • Attacks on Linux (by Jordan on 2016-12-28 14:36:51 GMT from United States)
Thanks for the responses to my query. I understand the server hacks, as unix based servers are more common out there. But I'm wondering if *users* at their desktop machines/laptops, on a Linux distro, have ever seen their systems compromised, personally. Their own computer. I've never seen it in twenty years of using distros with all manner of browsers and open ports, etc.
46 • @45 (by Ricardo on 2016-12-28 20:30:44 GMT from France)
As a home user, there are quite few chances you'll see an attack on your computer in your life.
On a server, it's another story.
47 • @45 (by Ricardo on 2016-12-28 20:40:34 GMT from France)
I talked about Linux of course, not Windows.
48 • Best Linux Desktop 2016, thoroughly reviewed. (by Greg Zeng on 2016-12-29 05:25:24 GMT from Australia)
https://www.youtube.com/watch?v=1iR6cx0_Zgs&t=323s
"Best Linux Desktop 2016", quidsup 7':12".
"Published on Dec 27, 2016
Looking back at my Top 3 Favourite Linux Distributions that I reviewed in 2016, which includes a selection for new and advanced users." (from 21 reviewed)
He summarizes many detailed examinations in the last few weeks of full testing, with clear, detailed on-screen examples of his reasons. Generally myself and most others agree with his choices and biases. Of course the emotional fan boys give their own narrow opinions in the following comments to his videos.
1) KDE NEON (Kubuntu based) 4'28"
2) UBUNTU MATE (Ubuntu-based) 1'59"
3) LINUX LITE (Xubuntu 16.04 based), 0'15"
I gave further opinions of my own, on his YouTube page.
49 • Kodachi or TAILS? (by Dave Postles on 2016-12-30 11:44:25 GMT from United Kingdom)
Would appreciate comments on the relative merits.
50 • Re: Kodachi_or_TAILS? (by k on 2016-12-31 07:13:14 GMT from Finland)
@49 by Dave Postles
"Relative merits"?
Not having used or being familiar with Kodachi, I right away tried to compare
package lists -- just see if it is worth downloading, verifying ISO and testing
Kodachi --, as there are certain packages needed.
But, starting from TAILS page of Distrowatch, and trying the "compare packages"
tool, Kodachi does not appear in the pull down menu.
Best wishes to all for 2017, and beyond.
51 • Re: Kodachi_or_TAILS? (by k on 2016-12-31 07:39:07 GMT from United States)
Again @49 by Dave Postles
Starting from Linux Kodachi page of DW, one can use DW's "compare packages" tool
to compare full package lists of Kodachi and Tails.
The old Tails USB with persistence has worked really well for several years now, and
even on 32-bit UEFI with 64-bit processor, using hosts' hard disk(s) for more capacious
long-term storage, but welcome some experiential knowledge from others.
52 • Kodachi packages (by Jesse on 2016-12-31 13:34:01 GMT from Canada)
>> "But, starting from TAILS page of Distrowatch, and trying the "compare packages"
tool, Kodachi does not appear in the pull down menu."
@50: Yes, Kodachi is listed, but it is listed under its proper name, Linux Kodachi. https://distrowatch.com/dwres.php?firstlist=tails&firstversions=0&resource=compare-packages&secondlist=kodachi
53 • Linux Mint 18.1 (by Landor on 2016-12-31 19:24:33 GMT from Canada)
Quite some time ago I was forced to install a "simplistic" distribution for someone, I chose Mint Linux Mint 13 Mate Edition. Recently due to an update their wifi went for a dump. Instead of fixing the problem as 13 is closing in on its end of life, I did the upgrade to 17.3 and here I am typing it on this. I don't follow Linux as keenly as I once did, Gentoo works on what I use and that's enough to know for me. A look here showed me though that not only is 18 released, but now 18.1. Interesting that there is no upgrade to this release. Yet anyway.
@5 Good to see an old face/name kicking around. :) Happy New Year
Enjoy your distribution testing everyone. I for one am glad to see DW and DWW still going strong!
Keep your stick on the ice...
Landor
54 • 53 • Linux Mint 18.1... old timers ... Eventually. (by Greg Zeng on 2017-01-01 02:55:36 GMT from Australia)
"... forced to install a "simplistic" distribution for someone ... their wifi went for a dump"
Another old timer myself, so busy that I never published my works properly, anywhere. On updating any Linux operating system:
All Ubuntu-based operating systems (including Mint 18.1) eventually become "old" and "stale". In Linux, the easiest, simplest cure is just upgrading the Linux kernel. No need to change anything else. This then prevents malware created by past errors, bad hardware, updated hardware (poor drivers for new wifi, in this specific case), etc.
Ubuntu-based distros are days ahead of the other "leading" Linux distributions: Arch, and Arch-based. We have the advantaged of pre-compiled, ready-to install files, for a quick, immediate upgrade into the new kernel.
Using grub-customizer, we can then have an easy menu choice into any Linux kernel, at boot-time. These kernels could be old, the latest stable kernel, or any of the proposed Linux kernels. This has been frequently mentioned by myself here in DW and elsewhere on the internet. Unfortunately DW makes it extremely difficult to url the DW mentions that I have made on this easy solution to aging, atm.
55 • @54 (by Ricardo on 2017-01-01 14:42:11 GMT from France)
> "Ubuntu-based distros are days ahead of the other "leading" Linux distributions"
I hope you're joking because this is quite false... If not, you must have some problems, or you are just a hard Ubuntu fanboy, with all the exaggerations, nonsense etc. corresponding to this unhappy "state"...
Number of Comments: 55
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Archives |
| • Issue 1038 (2023-09-25): Mageia 9, trouble-shooting launchers, running desktop Linux in the cloud, New documentation for Nix, Linux phasing out ReiserFS, GNU celebrates 40 years |
| • Issue 1037 (2023-09-18): Bodhi Linux 7.0.0, finding specific distros and unified package managemnt, Zevenet replaced by two new forks, openSUSE introduces Slowroll branch, Fedora considering dropping Plasma X11 session |
| • Issue 1036 (2023-09-11): SDesk 2023.08.12, hiding command line passwords, openSUSE shares contributor survery results, Ubuntu plans seamless disk encryption, GNOME 45 to break extension compatibility |
| • Issue 1035 (2023-09-04): Debian GNU/Hurd 2023, PCLinuxOS 2023.07, do home users need a firewall, AlmaLinux introduces new repositories, Rocky Linux commits to RHEL compatibility, NetBSD machine runs unattended for nine years, Armbian runs wallpaper contest |
| • Issue 1034 (2023-08-28): Void 20230628, types of memory usage, FreeBSD receives port of Linux NVIDIA driver, Fedora plans improved theme handling for Qt applications, Canonical's plans for Ubuntu |
| • Issue 1033 (2023-08-21): MiniOS 20230606, system user accounts, how Red Hat clones are moving forward, Haiku improves WINE performance, Debian turns 30 |
| • Issue 1032 (2023-08-14): MX Linux 23, positioning new windows on the desktop, Linux Containers adopts LXD fork, Oracle, SUSE, and CIQ form OpenELA |
| • Issue 1031 (2023-08-07): Peppermint OS 2023-07-01, preventing a file from being changed, Asahi Linux partners with Fedora, Linux Mint plans new releases |
| • Issue 1030 (2023-07-31): Solus 4.4, Linux Mint 21.2, Debian introduces RISC-V support, Ubuntu patches custom kernel bugs, FreeBSD imports OpenSSL 3 |
| • Issue 1029 (2023-07-24): Running Murena on the Fairphone 4, Flatpak vs Snap sandboxing technologies, Redox OS plans to borrow Linux drivers to expand hardware support, Debian updates Bookworm media |
| • Issue 1028 (2023-07-17): KDE Connect; Oracle, SUSE, and AlmaLinux repsond to Red Hat's source code policy change, KaOS issues media fix, Slackware turns 30; security and immutable distributions |
| • Issue 1027 (2023-07-10): Crystal Linux 2023-03-16, StartOS (embassyOS 0.3.4.2), changing options on a mounted filesystem, Murena launches Fairphone 4 in North America, Fedora debates telemetry for desktop team |
| • Issue 1026 (2023-07-03): Kumander Linux 1.0, Red Hat changing its approach to sharing source code, TrueNAS offers SMB Multichannel, Zorin OS introduces upgrade utility |
| • Issue 1025 (2023-06-26): KaOS with Plasma 6, information which can leak from desktop environments, Red Hat closes door on sharing RHEL source code, SUSE introduces new security features |
| • Issue 1024 (2023-06-19): Debian 12, a safer way to use dd, Debian releases GNU/Hurd 2023, Ubuntu 22.10 nears its end of life, FreeBSD turns 30 |
| • Issue 1023 (2023-06-12): openSUSE 15.5 Leap, the differences between independent distributions, openSUSE lengthens Leap life, Murena offers new phone for North America |
| • Issue 1022 (2023-06-05): GetFreeOS 2023.05.01, Slint 15.0-3, Liya N4Si, cleaning up crowded directories, Ubuntu plans Snap-based variant, Red Hat dropping LireOffice RPM packages |
| • Issue 1021 (2023-05-29): rlxos GNU/Linux, colours in command line output, an overview of Void's unique features, how to use awk, Microsoft publishes a Linux distro |
| • Issue 1020 (2023-05-22): UBports 20.04, finding another machine's IP address, finding distros with a specific kernel, Debian prepares for Bookworm |
| • Issue 1019 (2023-05-15): Rhino Linux (Beta), checking which applications reply on a package, NethServer reborn, System76 improving application responsiveness |
| • Issue 1018 (2023-05-08): Fedora 38, finding relevant manual pages, merging audio files, Fedora plans new immutable edition, Mint works to fix Secure Boot issues |
| • Issue 1017 (2023-05-01): Xubuntu 23.04, Debian elects Project Leaders and updates media, systemd to speed up restarts, Guix System offering ground-up source builds, where package managers install files |
| • Issue 1016 (2023-04-24): Qubes OS 4.1.2, tracking bandwidth usage, Solus resuming development, FreeBSD publishes status report, KaOS offers preview of Plasma 6 |
| • Issue 1015 (2023-04-17): Manjaro Linux 22.0, Trisquel GNU/Linux 11.0, Arch Linux powering PINE64 tablets, Ubuntu offering live patching on HWE kernels, gaining compression on ex4 |
| • Issue 1014 (2023-04-10): Quick looks at carbonOS, LibreELEC, and Kodi, Mint polishes themes, Fedora rolls out more encryption plans, elementary OS improves sideloading experience |
| • Issue 1013 (2023-04-03): Alpine Linux 3.17.2, printing manual pages, Ubuntu Cinnamon becomes official flavour, Endeavour OS plans for new installer, HardenedBSD plans for outage |
| • Issue 1012 (2023-03-27): siduction 22.1.1, protecting privacy from proprietary applications, GNOME team shares new features, Canonical updates Ubuntu 20.04, politics and the Linux kernel |
| • Issue 1011 (2023-03-20): Serpent OS, Security Onion 2.3, Gentoo Live, replacing the scp utility, openSUSE sees surge in downloads, Debian runs elction with one candidate |
| • Issue 1010 (2023-03-13): blendOS 2023.01.26, keeping track of which files a package installs, improved network widget coming to elementary OS, Vanilla OS changes its base distro |
| • Issue 1009 (2023-03-06): Nemo Mobile and the PinePhone, matching the performance of one distro on another, Linux Mint adds performance boosts and security, custom Ubuntu and Debian builds through Cubic |
| • Issue 1008 (2023-02-27): elementary OS 7.0, the benefits of boot environments, Purism offers lapdock for Librem 5, Ubuntu community flavours directed to drop Flatpak support for Snap |
| • Issue 1007 (2023-02-20): helloSystem 0.8.0, underrated distributions, Solus team working to repair their website, SUSE testing Micro edition, Canonical publishes real-time edition of Ubuntu 22.04 |
| • Issue 1006 (2023-02-13): Playing music with UBports on a PinePhone, quick command line and shell scripting questions, Fedora expands third-party software support, Vanilla OS adds Nix package support |
| • Issue 1005 (2023-02-06): NuTyX 22.12.0 running CDE, user identification numbers, Pop!_OS shares COSMIC progress, Mint makes keyboard and mouse options more accessible |
| • Issue 1004 (2023-01-30): OpenMandriva ROME, checking the health of a disk, Debian adopting OpenSnitch, FreeBSD publishes status report |
| • Issue 1003 (2023-01-23): risiOS 37, mixing package types, Fedora seeks installer feedback, Sparky offers easier persistence with USB writer |
| • Issue 1002 (2023-01-16): Vanilla OS 22.10, Nobara Project 37, verifying torrent downloads, Haiku improvements, HAMMER2 being ports to NetBSD |
| • Issue 1001 (2023-01-09): Arch Linux, Ubuntu tests new system installer, porting KDE software to OpenBSD, verifying files copied properly |
| • Issue 1000 (2023-01-02): Our favourite projects of all time, Fedora trying out unified kernel images and trying to speed up shutdowns, Slackware tests new kernel, detecting what is taking up disk space |
| • Issue 999 (2022-12-19): Favourite distributions of 2022, Fedora plans Budgie spin, UBports releasing security patches for 16.04, Haiku working on new ports |
| • Issue 998 (2022-12-12): OpenBSD 7.2, Asahi Linux enages video hardware acceleration on Apple ARM computers, Manjaro drops proprietary codecs from Mesa package |
| • Issue 997 (2022-12-05): CachyOS 221023 and AgarimOS, working with filenames which contain special characters, elementary OS team fixes delta updates, new features coming to Xfce |
| • Issue 996 (2022-11-28): Void 20221001, remotely shutting down a machine, complex aliases, Fedora tests new web-based installer, Refox OS running on real hardware |
| • Issue 995 (2022-11-21): Fedora 37, swap files vs swap partitions, Unity running on Arch, UBports seeks testers, Murena adds support for more devices |
| • Issue 994 (2022-11-14): Redcore Linux 2201, changing the terminal font size, Fedora plans Phosh spin, openSUSE publishes on-line manual pages, disabling Snap auto-updates |
| • Issue 993 (2022-11-07): Static Linux, working with just a kernel, Mint streamlines Flatpak management, updates coming to elementary OS |
| • Issue 992 (2022-10-31): Lubuntu 22.10, setting permissions on home directories, Linux may drop i486, Fedora delays next version for OpenSSL bug |
| • Issue 991 (2022-10-24): XeroLinux 2022.09, learning who ran sudo, exploring firewall tools, Rolling Rhino Remix gets a fresh start, Fedora plans to revamp live media |
| • Issue 990 (2022-10-17): ravynOS 0.4.0, Lion Linux 3.0, accessing low numbered network ports, Pop!_OS makes progress on COSMIC, Murena launches new phone |
| • Issue 989 (2022-10-10): Ubuntu Unity, kernel bug causes issues with Intel cards, Canonical offers free Ubuntu Pro subscriptions, customizing the command line prompt |
| • Issue 988 (2022-10-03): SpiralLinux 11.220628, finding distros for older equipment and other purposes, SUSE begins releasing ALP prototypes, Debian votes on non-free firmware in installer |
| • Issue 987 (2022-09-26): openSUSE's MicroOS, converting people to using Linux, pfSense updates base system and PHP, Python 2 dropped from Arch |
| • Issue 986 (2022-09-19): Porteus 5.0, remotely wiping a hard drive, a new software centre for Ubuntu, Proxmox offers offline updates |
| • Full list of all issues |
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
| Shells.com |
Your own personal Linux computer in the cloud, available on any device. Supported operating systems include Android, Debian, Fedora, KDE neon, Kubuntu, Linux Mint, Manjaro and Ubuntu, ready in minutes.
Starting at US$4.95 per month, 7-day money-back guarantee
|
| Random Distribution | 
Project development Enlightenment verbose (Project dEv)
The mission for Project dEv was to create a stable and secure Linux distribution based on the lightweight window manager Enlightenment, with the latest of hardware detection technology to make sure your hardware was detected and configured as quickly as possible with minimal amount of effort. dEv aims to use and extend the EFL. By this, the KDE and GNOME dependencies are made obsolete while the feature richness and speed of the window manager increases. dEv wants to bring all the eye candy and speed which Enlightenment gives to a more cleanly manner by placing Enlightenment inside its own directory.
Status: Discontinued
|
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|
• 
• 
• 
• 
• 
• 
• 
