DistroWatch Weekly |
Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip. (Tips this week: 5, value: US$25.29) |
|
|
|
bc1qxes3k2wq3uqzr074tkwwjmwfe63z70gwzfu4lx lnurl1dp68gurn8ghj7ampd3kx2ar0veekzar0wd5xjtnrdakj7tnhv4kxctttdehhwm30d3h82unvwqhhxarpw3jkc7tzw4ex6cfexyfua2nr 86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le paypal.me/distrowatchweekly • patreon.com/distrowatch |
|
Extended Lifecycle Support by TuxCare |
|
Reader Comments • Jump to last comment |
1 • jails (by nolinuxguru on 2016-12-19 10:24:51 GMT from United Kingdom)
I have been using Firejail for a while to isolate Firefox, Icedove [email]. I use the supplied profiles for these applications, but customise them to further restrict the ways programs such as Firefox can propagate any malware. I like the way that I can compile the Firejail program from source [it does not have the usual rats-nest of dependencies, and is small enough that even I can understand how it works].
2 • Bodhi Linux (by aguador on 2016-12-19 10:52:30 GMT from Spain)
Enlightenment is my DE of choice, but I have never quite managed to relate to Bodhi, in part because of its Ubuntu base, but more because of Midori and the AppCenter. Midori, while light on resources, in my experience has always seemed slow as well as limited. Firefox is an option, but (at least in the past) does not come enabled to use the AppCenter. So, one reverts to Synaptics, a great option for most, but more complicated for newbies who might be better served by a more traditional software center approach.
Jeff has made good contributions to Enlightenment, including ePad which has to be the absolute lightest notepad application around given its use of EFL and arguably better than Ecrire in some ways. I understand that E is undergoing constant development -- and improvement, so forking it due to momentary frustrations was a shame. Still, Bodhi seems to have found a niche and I wish the project well.
3 • Brisk Mate Menu (by aguador on 2016-12-19 11:01:23 GMT from Spain)
Mate was my first DE and I am amazed at the progress it has made. A recent test drive of a live version of Ubuntu Mate was a surprisingly pleasant experience with good configuration options. The thing that sets it apart from Linux Mint are the application menu and interface options. Mint Menu is good conceptually, but a bit wanting aesthetically. A faster, more aesthetic (Budgie- or Cinnamon-like) menu will, is sure to welcomed by regular users.
4 • Brisk Mate Menu (by sydneyj on 2016-12-19 11:56:38 GMT from United States)
I very much agree with @3 aguador regarding Brisk menu for Mate. I use Arch/Mate now, with the MintMenu. The menu is quite good, but a bit buggy (a couple of irretrievably broken links), presumably due to GTK2/3 issues. I would be happy to see the Cinnamon menu ported to Mate, since it doesn't require an extra click to get to Favorites, and the menu can grow in size as items are added. A hybrid Cinnamon/Budgie menu might be just the ticket, as well.
5 • Mate Menu (by Pikolo on 2016-12-19 12:19:00 GMT from United Kingdom)
Rewriting a menu in C sounds like a very anti-trend move to me. Isn't Gnome moving from C to Rust? Isn't C famous for buffer overflows? I've seen dozens of articles on "why we should limit the use of C" just this moonth. A truly bizarre development.
I'm surprised there are so many Qubes users on DW. I Joanna Rutkowska has shown a graph, on which there are <7k users, and already 16 of them voted. Though their % will probably drop over time. All in all, 60% of Linux users using process isolation is impressive.
6 • <3 bodhi (by meanpt on 2016-12-19 12:42:25 GMT from Portugal)
... been with bodhi since ... rats, I'm getting older. Since then I only miss one thing: the the original ram's 76 MB landing DE which I proudly showed off to the the wd$sy friends.
7 • New menu in C (by Jesse on 2016-12-19 13:01:38 GMT from Canada)
@5: >> "Rewriting a menu in C sounds like a very anti-trend move to me. Isn't Gnome moving from C to Rust? Isn't C famous for buffer overflows? I've seen dozens of articles on "why we should limit the use of C" just this moonth. A truly bizarre development."
In this case it makes a lot of sense. C is still one of the main languages to use when performance is a primary focus. And, in this case, the risk of buffer overflows or similar memory corruption errors are not really a concern. Remember, the application menu is run as the user who is logged in and sitting physically at the computer. If the user manages to somehow exploit a flaw in the code, all they end up with is the ability to run code at the computer where they are already sitting, running whatever code they want. In this instance, C gives a boost in performance with no practical downside.
8 • @ Joshua (by geert on 2016-12-19 13:06:56 GMT from Netherlands)
>For users with older computers, some of the modern Linux distributions can be too resource intensive. Bodhi Linux 4.0.0 is a lightweight distribution designed for those users. The minimum system requirements are a 500MHz processor, 128MB of RAM, and 4GB of disk space. The recommended requirements are a 1.0GHz processor, 512MB of RAM, and 10GB of disk space.<
Of course, if only you just boot the computer and don't do anything. All processes have to work in RAM, and more you have apps open, you need more RAM. And, remember 32 bit is "legacy" now.
9 • Bodhi Clock (by Thomas on 2016-12-19 13:20:50 GMT from France)
The clock widget in Bodhi mimics clocks made with Nixie Tubes or similar technology.
10 • Re: #2 / Midori (by Jeff Hoogland on 2016-12-19 13:34:03 GMT from United States)
Always amusing that we ship as few applications as possible and yet people still find a reason to dislike them. We know midori is feature light. It is also only 5~ MB to install so it isn't wasting much space like Firefox or Chrome would (because there are plenty of people who hate each of those). We expect and often encourage people to install their full browser of choice.
For reference the latest version of Bodhi as a dedicated "app center" menu launcher that opens a midori browser to just the appcenter URL. Pretty easy for a novice end user to always use that to grab software even if they use something else as a primary web browser.
Also - APTURL (the protocol the AppCenter uses to make the browser call the package manager) works with Chrome and Firefox if you configure them properly.
11 • Greetings (by Thom on 2016-12-19 13:55:41 GMT from Sweden)
A thank you to the team behind DW for another year of dedication and philanthropy. Best wishes for the season and the new year.
12 • Bodhi (by jaws222 on 2016-12-19 15:17:44 GMT from United States)
I've always appreciated the fact that Bodhi was extremely lightweight. As far as the browser I usually go to the app center and install Chromium cause I like it and usually install whatever else I want or think I may need. I've never understood why people complain either Jeff.
13 • Firejail (by a on 2016-12-19 15:56:28 GMT from France)
I tried using firejail but it makes programs crash/exit without any message as to what the problem is.
14 • Firejail (by Jesse on 2016-12-19 16:08:08 GMT from Canada)
@13: If your application is crashing, it is probably because no one has created a Firejail profile for it yet. I ran into this with the Qupzilla browser and submitted a new profile for it to the project for future releases. You can request new application profiels here: https://github.com/netblue30/firejail/issues/825
15 • service isolation with systemd (by Scott Dowdle on 2016-12-19 17:18:03 GMT from United States)
Just wanted to mention that systemd has a number of security related features so you may separate services with isolated filesystems, /tmp, network name spaces, etc.
16 • Bodhi (by Gibson on 2016-12-19 17:35:32 GMT from United States)
I really appreciate that Bodhi offers install images without preinstalled software. Whenever I install a new distro the first thing I normally do is purge a bunch of default applications that I won't use and install my own choices. Bodhi's super lightweight text editor and web browser (which also serves as a software center) are just enough to get going without getting in the way of my own choices. I actually really like their choice to use the web browser as a basic software center. It keeps with the pattern of minimalism and simplicity. I played with Bodhi for a while shortly after being introduced to Linux and as a total amateur I never had a problem with their approach to software installation. In fact their minimal selection of apps made it easier to find what I was looking for. Now that I've been around for a while the midori interface might not meet my needs, but at this point I just use apt-get.
17 • firejail crashes (by nolinuxguru on 2016-12-19 17:57:20 GMT from United Kingdom)
@13 If you haven't reported this elsewhere, it would help if you said which programs crashed [bit quiet this week].
18 • OpinionPoll-Process isolation (by CucumberLinux on 2016-12-19 18:07:39 GMT from Germany)
Nothing to technical, just my uneducated observation, if I may. Thank you. I somewhat did write this in a hurry, but you will understand what I point out;
ISOLATING AND QUBES OS DATING Currently I am not using any software in order to isolate processes from the rest of the operating system from my GNU-Linux or LinuxDistributions, call it what you want. Generally we feel what I am talking about. Because this process is somehow new to me. However I have tried like 1 Year ago to install on quad core 16 Gb Ram PC (Boot Mode -Legacy), the QubesOS Distribution, with zero success. The Anaconda installer from Fedora, was a pain do work with ( freezing itself or just not detecting hardware). Ever sins I never bothered with it. But I find the QubesOS as an very interesting Project in itself. Perhaps not that interesting for people with low specs Hardware.
FRESH INSTALL OF DISTRIBUTION If something happens I have no problem with fresh installs. (Backing up the Data is priority all the time) At the same time I am refreshing my knowledge, by doing fresh Installs of the Distribution. This way I do not forget, the basics, because I am not that clever. Speaking here just for my tiny private needs.
FIREJAIL AND VIRTUALBOX AND MY DATING WITH LINUX Firejail is something I am going to look at, when I get more time and my butt stops hurting from to much sitting in front of the PC, solving GNU-Linux like Sumerian stone Tablets puzzles, like why this stopped working.?. Because our Linux still is a pain to work with, when done some regular updates and they mess up previously made configurations! Or you want to install for Libreoffice the hunspell, but by doing so it removes the Thunderbird.. How can you not fell like the need to throw something against the Wall, when you see this happen over and over again? And yea after, my Eyes recover from the LED monitor constantly bombarding my pretty eyes and my Pineal gland with its fantastic bright energy saving light..(Wait I need to grasp for Air) Now, back to the subject; Wish this Frejail would be already installed on the ISO. And after installation of the Distro to be asked, if I feel like to configure the Firejail, or maybe just maybe later. Now about Virtual boxing everything up; Virtualbox is the easiest, but at the same time I use it only for testing never leave it on for long time, due to the fact that it is like having 2 Distributions pounding at the same time on 1 hardware. PC in my opinion is more vulnerable on top of it if access to the Net is given using same IP and Internet for 2 or more Distributions on one Hardware running long time..
BODHY LINUX I am not using Bodhi Linux 4.0.0, but I have enjoyed the insight look in it from DistroW. Thank you for the detailed and precise as always tutorial of B.Linux. Apologies for my Grammar and Greetings to you all Linux users.
19 • Enlightened Bodhi (by Kragle von Schnitzelbank on 2016-12-19 23:41:58 GMT from United States)
I commend Mr. Hoogland for the virtuosity in forking a DE constantly being re-invented with apparent disregard for those who would build on it. This illustrates just one of the many great strengths in Freed software. . I vaguely remember an Enlightenment GUI for parted that I perceived as better than the popular GTK GUI, but can't easily find it any more. ¿case in point?
20 • security overly locked down (by security sense on 2016-12-20 01:16:44 GMT from Netherlands)
Over time, security distros tend to become increasingly locked down internally and harder to use, like Qubes and Tails have become. i believe this is due to poor thought-out design, and just piling security feature upon security feature. after all, if the user can't easily use the OS what's the point? instead, it's quick nowadays to install linuxen to USB drives. so best form of isolation is to install linux on one USB, secure it from leaks and intrusions, and use it for work and don't connect it to any network. then make another linux USB and use that for network stuff. job done - and without any user restrictions.
@18 "I am refreshing my knowledge, by doing fresh Installs of the Distribution. This way I do not forget, the basics, because I am not that clever." fresh installs are good security too. who said u were dum? people are intelligent in different ways. celebrate your brain - you've only got one!
21 • @20 security lockdown (by nolinuxguru on 2016-12-20 09:15:55 GMT from United Kingdom)
@20 most usb drives are writable, so your proposed solution does not seem to provide any added security. The greatest attack method these days is through the web browser and sites that carry malware: something like Firejail can reduce any damage to the files left writable [config, bookmarks etc].
There is much that can be done to secure your computer without the recourse to the likes of Qubes: good iptables firewall script [or just use ufw], tcpdump to see what gets through the firewall and Firejail to isolate web browsers etc. No actual programming is needed, but care is needed to pick out the bits of tcpdump output that should cause concern.
Someone who can package these simple methods for everyday users would do us all a big favour.
22 • Cappsule (by Al CiD on 2016-12-20 10:03:17 GMT from Portugal)
Perhaps the reason why it didn´t work as espected in VirtualBox
"Cappsule uses hardware virtualization to launch applications into lightweight VMs..."
23 • Stuff (by Andy Mender on 2016-12-20 11:34:19 GMT from Austria)
@7, That's not really how it works. It doesn't matter if a script is run by the user only as long as system libraries are involved (for instance, gtk for the GUI). Any overflow can potentially lead to privilege escalation. C as a programming language is not specifically prone to overflows, but rather it requires extra care to avoid them. The more complex and intertwined the software is, the more difficult it is to avoid said overflows. Rust attempts to address this via more stringent code testing during compile time, though it will take time before it's considered reliable enough to be commonly used instead of C.
@10, Jeff, what about the webkit-gtk engine? Surely it's not a mere ~5 mb. I personally love projects like surf, midori or qupzilla, but in my hands both qupzilla and midori segfault way too often. In addition, on non-Ubuntu distributions Midori would often fail to play Youtube videos via HTML5. I use Firefox simply because it's tried and tested, though it's a different weight class altogether, I agree.
24 • C and Cappsule (by Jesse on 2016-12-20 13:46:59 GMT from Canada)
@23: >> " It doesn't matter if a script is run by the user only as long as system libraries are involved (for instance, gtk for the GUI). Any overflow can potentially lead to privilege escalation.
For a privlege escalation to happen, the code would need to either be run as another user or exploit a bug in another part of the system. (Attacking GTK doesn't help the attacker since its code will run as the same user as the menu, not as root.) Having a buffer overflow in the application menu wouldn't result in a problem in itself. If there is a flaw in a library or system call the application menu uses, then the user (who has physical access to the system, remember) can run any code they like to exploit that component. Exploiting the application menu makes no sense in this scenario since the user can link any code they want to the libraries on the system.
Your argument is basically that the user could exploit a potential flaw in the application menu to try to get at another component on the system, when the user running the application menu (and any un-isolated program they run) can already access that other component of the system directly without exploiting the menu. Attacking the menu just adds an extra, unrequired step to the process.
@22: >> "Perhaps the reason why it didn´t work as espected in VirtualBox..."
The Cappsule project provides VirtualBox appliances for people to run and test their software. Any computer with hardware virtualization capacity should have no problem meeting the requirements. My computers all have hardwre virtualization so that's not the issue.
25 • RE: 24 (by Andy Mender on 2016-12-20 15:06:10 GMT from Austria)
@24, Jesse, thank you for the clarification. It makes more sense to me now. I think my assumption was too far reaching.
26 • Opinion poll > Selection Principals (by Yuri on 2016-12-21 16:00:44 GMT from Russian Federation)
Hi, Jesse.
Why you do not include (widely used) technology like SELinux and AppArmore in your list?
27 • Opinion Poll (by Jesse on 2016-12-21 16:05:52 GMT from Canada)
@26: Because SELinux and AppArmor are not designed to isolate processes so much as use permissions to block them from doing bad things. They're different use cases.
28 • Opinion Poll - Process Isolation (by M0E-lnx on 2016-12-21 21:39:14 GMT from United States)
Docker is a great option for services, and with a few tricks even apps in general. I'm not sure if that was included in the 'Linux containers' option, but it would have been nice to see that option listed.
29 • Follow-up to @15 - systemd security features (by Scott Dowdle on 2016-12-21 22:46:35 GMT from United States)
LWN published a premium article today on security features in systemd. It will become freely available to non-subscribers Thursday, Dec 29. Here is the URL that will work for LWN subscribers and everyone else once freely available:
Using systemd for more secure services in Fedora https://lwn.net/Articles/709755/
Intro paragraph: "The AF_PACKET local privilege escalation (also known as CVE-2016-8655) has been fixed by most distributions at this point; stable kernels addressing the problem were released on December 10. But, as a discussion on the fedora-devel mailing list shows, systemd now provides options that could help mitigate CVE-2016-8655 and, more importantly, other vulnerabilities that remain undiscovered or have yet to be introduced. The genesis for the discussion was a blog post from Lennart Poettering about the RestrictAddressFamilies directive, but recent systemd versions have other sandboxing features that could be used to head off the next vulnerability. "
30 • Bodhi (by slick on 2016-12-22 01:06:40 GMT from United States)
For one have always liked and appreciated Bodhi and especially the e17 Enlightenment experience. Would hope Jeff would consider it being a Debian only distribution.
Don't have Bodhi on my machine because only it's an Ubuntu distribution and to me is just not something desirable. However it is easy enough to install e17 and configure an nice e17 on Devuan without all the bloat.
Have notice that many distributions have drop there connection with Ubuntu and they have experienced a jump in popularity. Those that went back to Ubuntu like WattOs experienced a drop and myself one of them.
Appreciate greatly a small but fast distribution without systemd, Devuan on my desktop runs about 185mb of memory on login, how many distributions can do that?
Star is my distribution of choice and be found on Sourceforge, complimented with many Window manager choices and Xfce DE for a wide choice of flavours! A few applications to have the distro functional and completely non-bloated, very nice!
31 • MX Linux 16 (by PhantomTramp on 2016-12-22 15:29:07 GMT from United States)
Anti and crew seem to always bless us with a holiday season gift. This one looks very cool. Downloading now...
The Tramp
32 • Bodhi (by More Gee on 2016-12-22 17:40:45 GMT from United States)
It has been awhile since I used Bodhi and really liked the wooden desktop environment without the tube clock. It did not have the radio button issues but I do remember them being a problem on the default. I also remember using Opera instead of Midori and it was a much more enjoyable internet experience and the mini version at that time would still keep ram usage under 128mb. I was thinking of making a VM of this for my 2gb RAM machines.
33 • Bodhi (by Simon Wainscott-Plaistowe on 2016-12-23 02:05:47 GMT from New Zealand)
The new Bodhi release looks impressive. In the past I've found Bodhi's enlightenment desktop a bit non-intuitive so I've been using Peppermint to refurbish old computers. Now I think it's time to give the Moksha desktop a try.
34 • Ultimate security (by Dave Postles on 2016-12-23 09:09:12 GMT from United Kingdom)
Tongue in cheek for Christmas: no HD, just run from DVD - slow but sure.
35 • Process isolation & Bodhi (by Greg Zeng on 2016-12-25 05:44:23 GMT from Australia)
Missing isolating types include the Linux container being on a USB-flash-stick, removable drive, or unique partition. My "unique" partition can be started by any of three partition-handlers (Grub-customizer, BIOS & UEFI).
Listing the DW isolation stuff in popularity order:
1. None: 510 (42%) 2. Virtual machine: 385 (31%) 3. Firejail: 136 (11%) 4. FreeBSD jail: 66 (5%) 5. Linux container: 60 (5%) 6. Other: 32 (3%) 7. Qubes OS: 34 (3%) 8. Other: 32 (3%) 9. Cappsule: 5 (0%)
The 5th & 8th favored option is interesting. Bodhi on a very small computer (Raspberry Pi?) as a Linux Container, or Virtualized machine between the main system and the rest of the network?
"Bodhi Linux 4.0.0 is based on Ubuntu 16.04 LTS, so there were no real surprises when it came to installing." is the first sentence of the independent reviwer in this issue of DW. This Ubuntu installation process also applies to the other 58 Ubuntu-based distributions http://distrowatch.com/search.php?basedon=Ubuntu
All of these can easily have their Linux kernels upgraded & downgraded to any already-compiled Linux kernel of any date, of any degree of readiness (alpha, beta, etc). http://kernel.ubuntu.com/~kernel-ppa/mainline/
Besides Bodhi, there are other micro-Linux's also based on Ubuntu: Web OS and Peppermint. All three can be extremely easily upsized into fully fledged Desktops, with all the needed applications, utilities, ear-candy and eye-candy.
It would be very interesting to compare the micro-Linux's with each other. They all show the inadequacies of the other Ubuntu-based distributions: crazy mixes of ethnic languages braille and usually, games. All show the poor selection of "gkrel" and none have DDCOPY (only PCLOS has these two properly available). Mint, another Ubuntu-derivative, persists with their poor flash-stick format & writing programs. All of these, including PCLOS, do not use Synaptic Package Manager at all well.
36 • Process isolation and other pets (by OpenBSD n00b on 2016-12-25 15:09:15 GMT from Brazil)
Firejail, Cappsule, or any other "sandboxing" tool, may be interesting to implement the concept of "security by isolation". But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD (which emphasizes correctness, proactive security, integrated cryptography, and standardization :).
So I have a recipe for building the perfect OS to surf the Tor network with the ultimate anonymity:
1. Take the latest snapshot of OpenBSD (better yet, the always uptodate FuguIta respin, which has a decent and also lightning fast graphical interface). 2. Configure the native firewall to run immediately after boot-up and make the host system as sthealthed as possible. 3. Install the VirtualBox package, then set it up to run Whonix Linux (both the two VM images: Gateway and Workstation). 4. Release the final result as an installable OpenBSD/FuguIta LiveDVD.
You can now call it "the Tails killer".
37 • "Sceure OS" (by M.Z. on 2016-12-25 18:43:35 GMT from United States)
@36 "...But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD"
That seems to me to be more than a little disingenuous. In fact the only thing that convinced me you even halfway knew what you were talking about was that you hedged your bets by using the term '_Almost_ invulnerable...' to describe your OS of choice. Now I'm by no means an expert, but I do think about & research these things to some extent & I'd venture to guess that OpenBSD is likely among the most secure OSs around; however, there is no such thing as a secure OS let alone an invulnerable one. There have been deeply insecure OSs like versions ow Windows that basically ran everything as 'Administrator'/root through the 1990s, but that hasn't been an issue on Unix like systems such Linux and the BSDs for much if any of they time they have been around because of rules set up a long time ago on Unix.
At any rate most Unix like systems are reasonably secure by default when properly administered by folks that don't trust so called Nigerian princes, install random stuff from parts unknown, or forget to run updates. That being said no system is truly secure and there is always some funny vid that must be downloaded & viewed with special software that some are naive enough to believe is a real thing rather than malware. Of course there are also some people type in root passwords at the drop of a hat or simply make mistakes about communicating what is legitimate and what is not to be trusted. I think that last thing happened in a rather famous hacking incident just in the past few months, someone neither put big bold text saying 'DO NOT TRUST', nor put the the letters 'il' in front of illegitimate & there was massive fallout political & otherwise.
I firmly believe that security is all relative & it depends both on secure system design, as well as secure user habits & best practices. The truth is that all links in that chain are vulnerable to some extent even in places that use OSs as secure as OpenBSD. If there were a big enough target it would likely be hacked eventually regardless of which OS it used because everyone from the coders to the end users makes some mistakes. Personally I run Linux systems behind a pfSense/BSD firewall computer & I run some kind of security tool on every systems be it firejaill, MSEC, SELinux, or snort. Given all the problems I've had using BSD on my hardware I don't have the patience to try & get it working, but I'd still say I'm relatively secure for a self taught non expert. I'm sure I'm doing some things wrong, but it's all relative & I'm very solid for a tiny home network, and that due in part to all the different tools that I run.
38 • OpenBSD and isolation (by Ben on 2016-12-25 22:52:33 GMT from Canada)
@36: >> "Firejail, Cappsule, or any other "sandboxing" tool, may be interesting to implement the concept of "security by isolation". But none of them can make an insecure OS like Linux as trustful as an almost invulnerable one like OpenBSD (which emphasizes correctness, proactive security, integrated cryptography, and standardization"
Assuming you were not joking, I see a pretty big flaw in that reasoning. OpenBSD only pracitses active security, code audits and correctness on the base OS, not OpenBSD's ports/packages. Running Firefox (for example) on OpenBSD is not any more secure, really, than running Firefox on Debian. It's not any harder to compromise your web browser on OpenBSD than it is on, say, Fedora. The same applies to almost every desktop application or service you plan on running on OpenBSD that is not in the default installation.
So the key question then becomes; What happens after your attacker takes over your web browser? If it's sandboxed with Firejail or SELinux, then the attacker is pretty much stuck. They can read a bunch of files, but they should otherwise be unable to harm your OS or user's files. Without isolation (as on OpenBSD) then the attacker, having taken over your browser, has access to do whatever they like on your account. At that point, having a secure base OS does not do you a lot of good because the attacker has (unrestricted) access to run their code under your account.
I greatly respect the work OpenBSD devs do on their operating system and I'd like to see more Linux distros do the same. But the security of correctness OpenBSD offers doesn't help you much if the software that is being attacked is installed from their ports collection
39 • @34 • Ultimate security (by Marco on 2016-12-27 16:10:04 GMT from United States)
@34 Ultimate security: no HD, just run from DVD - slow but sure.
I know you were joking, but my father used to attract all sorts of malware on his Windows computer. I never converted him to Linux, but I did persuade him to only do his on-line banking off a live Linux DVD image.
40 • OpenBSD/Linux security (by Jordan on 2016-12-27 16:10:44 GMT from United States)
Has anyone posting here ever had their computer taken over and had code run via the browser, etc?
I've seen various virus and malware in the news, but never have I seen or heard of a non-Windows computer being hijacked, with the notable exception of for testing purposes by the owner or commissioned tester of the machine.
But I've only been with Linux since 1996.
41 • System security (by Jesse on 2016-12-27 16:47:04 GMT from Canada)
>> "Has anyone posting here ever had their computer taken over and had code run via the browser, etc? "
@40: While I have not had my machine compromised this way, I have been called in to clean up a few. Generally, I am interested in fixing things rather than figuring out exactly went wrong, but I suspect the Linux boxes I have cleaned up were originally compromised through network services like OpenSSH.
If you're interested strictly in browser compromises, you might want to check out the pwn to own competition as the systems tested are often taken down using browser exploits: https://en.wikipedia.org/wiki/Pwn2Own
>> "I've seen various virus and malware in the news, but never have I seen or heard of a non-Windows computer being hijacked"
Do you mean by people you know personally? There are often reports of macOS or Linux exploits being used in the wild. Particuarly against Linux servers.
42 • Linux hacking (by speaking from experience on 2016-12-27 23:59:14 GMT from United States)
@40 "Has anyone ever had their computer taken over"
Against Windows hackers can use malware that ppl download from the web. But against other OSs where malware is not so prevalent - like Linux - hackers can exploit wireless hardware and software insecurities to capture your login password. One key insecurity is that your wireless is always "on" unless both hardware and software switches are turned off. Attacks can include wireless sniffing, MAC address scanning, port scanning, fake ap's, etc. If they can't get at your computer directly, they can always hack nearby devices - like routers, mobile phones, CCTV cameras, etc - and then target your computer from them. When they get your login password they can then hack your wifi or bluetooth, login, and copy whatever data they want.
Ironically, Linux security distros - like Qubes and TAILS - focus on malware protection mainly coming from the Internet, because they want to promote their OS's as Windows alternatives. But malware is old school, and wireless sniffing and hacking - usually before you even connect to the Internet - is new school (just look at all the wireless exploit tools available). So don't expect any Linux security distro to protect you against persistent hackers.
43 • Attacks on Unix (by M.Z. on 2016-12-28 00:44:17 GMT from United States)
@40 In addition to server systems being commonly targeted (mostly through unpatched software), there have been many attacks on another Unix like desktop system, namely Mac OS X. If you know a bit about the Unix family tree you may know that modern Mac systems are basically a modified version of BSD. I don't think the infections have reached the same proportions on Mac as they have on Windows, but there have been compromises that have affected many thousands of machines. This sort of thing if far more rare on Linux and BSD proper, but I've heard of Linux machines being hit, so it can happen. That's why I think tools like firejail and SSELinux are so valuable, they provide different ways to defend against and limit the damage of a serious compromise and create multiple potential barriers to attack. Of course that's just what I recall from reading up on that sort of thing on occasion, I've gotten an occasional paranoid feeling but never seen any real damage or serious problems since I've been using Linux.
44 • @40 Has a web browser ever hijacked my computer and run code (by imnotrich on 2016-12-28 06:50:08 GMT from Mexico)
Yes, sort of. Google Chrome, and more recently Firefox offer a browser sync feature that syncs history, bookmarks, home page and other stuff across multiple computers. With Chrome if you have a gmail account sync is forced on you. With FF you have to opt in. Anyway, not so long ago running Chrome on my W7 laptop a website was able to change my home page to a windows .exe file, but that fact was hidden from me in the address field I still saw www.google.com. A day or two later I booted up the Linux partition of my W10/Linux desktop and noticed Chrome trying to connect to a Windows .exe file as my home page. Thanks to this helpful "sync" feature I was able to intercept the attack before it did any damage, but it won't be long before evil bad people figure out how to successfully exploit this sync feature from one platform to another.
45 • Attacks on Linux (by Jordan on 2016-12-28 14:36:51 GMT from United States)
Thanks for the responses to my query. I understand the server hacks, as unix based servers are more common out there. But I'm wondering if *users* at their desktop machines/laptops, on a Linux distro, have ever seen their systems compromised, personally. Their own computer. I've never seen it in twenty years of using distros with all manner of browsers and open ports, etc.
46 • @45 (by Ricardo on 2016-12-28 20:30:44 GMT from France)
As a home user, there are quite few chances you'll see an attack on your computer in your life.
On a server, it's another story.
47 • @45 (by Ricardo on 2016-12-28 20:40:34 GMT from France)
I talked about Linux of course, not Windows.
48 • Best Linux Desktop 2016, thoroughly reviewed. (by Greg Zeng on 2016-12-29 05:25:24 GMT from Australia)
https://www.youtube.com/watch?v=1iR6cx0_Zgs&t=323s "Best Linux Desktop 2016", quidsup 7':12".
"Published on Dec 27, 2016 Looking back at my Top 3 Favourite Linux Distributions that I reviewed in 2016, which includes a selection for new and advanced users." (from 21 reviewed)
He summarizes many detailed examinations in the last few weeks of full testing, with clear, detailed on-screen examples of his reasons. Generally myself and most others agree with his choices and biases. Of course the emotional fan boys give their own narrow opinions in the following comments to his videos.
1) KDE NEON (Kubuntu based) 4'28" 2) UBUNTU MATE (Ubuntu-based) 1'59" 3) LINUX LITE (Xubuntu 16.04 based), 0'15"
I gave further opinions of my own, on his YouTube page.
49 • Kodachi or TAILS? (by Dave Postles on 2016-12-30 11:44:25 GMT from United Kingdom)
Would appreciate comments on the relative merits.
50 • Re: Kodachi_or_TAILS? (by k on 2016-12-31 07:13:14 GMT from Finland)
@49 by Dave Postles
"Relative merits"?
Not having used or being familiar with Kodachi, I right away tried to compare package lists -- just see if it is worth downloading, verifying ISO and testing Kodachi --, as there are certain packages needed.
But, starting from TAILS page of Distrowatch, and trying the "compare packages" tool, Kodachi does not appear in the pull down menu.
Best wishes to all for 2017, and beyond.
51 • Re: Kodachi_or_TAILS? (by k on 2016-12-31 07:39:07 GMT from United States)
Again @49 by Dave Postles
Starting from Linux Kodachi page of DW, one can use DW's "compare packages" tool to compare full package lists of Kodachi and Tails.
The old Tails USB with persistence has worked really well for several years now, and even on 32-bit UEFI with 64-bit processor, using hosts' hard disk(s) for more capacious long-term storage, but welcome some experiential knowledge from others.
52 • Kodachi packages (by Jesse on 2016-12-31 13:34:01 GMT from Canada)
>> "But, starting from TAILS page of Distrowatch, and trying the "compare packages" tool, Kodachi does not appear in the pull down menu."
@50: Yes, Kodachi is listed, but it is listed under its proper name, Linux Kodachi. https://distrowatch.com/dwres.php?firstlist=tails&firstversions=0&resource=compare-packages&secondlist=kodachi
53 • Linux Mint 18.1 (by Landor on 2016-12-31 19:24:33 GMT from Canada)
Quite some time ago I was forced to install a "simplistic" distribution for someone, I chose Mint Linux Mint 13 Mate Edition. Recently due to an update their wifi went for a dump. Instead of fixing the problem as 13 is closing in on its end of life, I did the upgrade to 17.3 and here I am typing it on this. I don't follow Linux as keenly as I once did, Gentoo works on what I use and that's enough to know for me. A look here showed me though that not only is 18 released, but now 18.1. Interesting that there is no upgrade to this release. Yet anyway.
@5 Good to see an old face/name kicking around. :) Happy New Year
Enjoy your distribution testing everyone. I for one am glad to see DW and DWW still going strong!
Keep your stick on the ice...
Landor
54 • 53 • Linux Mint 18.1... old timers ... Eventually. (by Greg Zeng on 2017-01-01 02:55:36 GMT from Australia)
"... forced to install a "simplistic" distribution for someone ... their wifi went for a dump"
Another old timer myself, so busy that I never published my works properly, anywhere. On updating any Linux operating system:
All Ubuntu-based operating systems (including Mint 18.1) eventually become "old" and "stale". In Linux, the easiest, simplest cure is just upgrading the Linux kernel. No need to change anything else. This then prevents malware created by past errors, bad hardware, updated hardware (poor drivers for new wifi, in this specific case), etc.
Ubuntu-based distros are days ahead of the other "leading" Linux distributions: Arch, and Arch-based. We have the advantaged of pre-compiled, ready-to install files, for a quick, immediate upgrade into the new kernel.
Using grub-customizer, we can then have an easy menu choice into any Linux kernel, at boot-time. These kernels could be old, the latest stable kernel, or any of the proposed Linux kernels. This has been frequently mentioned by myself here in DW and elsewhere on the internet. Unfortunately DW makes it extremely difficult to url the DW mentions that I have made on this easy solution to aging, atm.
55 • @54 (by Ricardo on 2017-01-01 14:42:11 GMT from France)
> "Ubuntu-based distros are days ahead of the other "leading" Linux distributions"
I hope you're joking because this is quite false... If not, you must have some problems, or you are just a hard Ubuntu fanboy, with all the exaggerations, nonsense etc. corresponding to this unhappy "state"...
Number of Comments: 55
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
Archives |
• Issue 1099 (2024-12-02): AnduinOS 1.0.1, measuring RAM usage, SUSE continues rebranding efforts, UBports prepares for next major version, Murena offering non-NFC phone |
• Issue 1098 (2024-11-25): Linux Lite 7.2, backing up specific folders, Murena and Fairphone partner in fair trade deal, Arch installer gets new text interface, Ubuntu security tool patched |
• Issue 1097 (2024-11-18): Chimera Linux vs Chimera OS, choosing between AlmaLinux and Debian, Fedora elevates KDE spin to an edition, Fedora previews new installer, KDE testing its own distro, Qubes-style isolation coming to FreeBSD |
• Issue 1096 (2024-11-11): Bazzite 40, Playtron OS Alpha 1, Tucana Linux 3.1, detecting Screen sessions, Redox imports COSMIC software centre, FreeBSD booting on the PinePhone Pro, LXQt supports Wayland window managers |
• Issue 1095 (2024-11-04): Fedora 41 Kinoite, transferring applications between computers, openSUSE Tumbleweed receives multiple upgrades, Ubuntu testing compiler optimizations, Mint partners with Framework |
• Issue 1094 (2024-10-28): DebLight OS 1, backing up crontab, AlmaLinux introduces Litten branch, openSUSE unveils refreshed look, Ubuntu turns 20 |
• Issue 1093 (2024-10-21): Kubuntu 24.10, atomic vs immutable distributions, Debian upgrading Perl packages, UBports adding VoLTE support, Android to gain native GNU/Linux application support |
• Issue 1092 (2024-10-14): FunOS 24.04.1, a home directory inside a file, work starts of openSUSE Leap 16.0, improvements in Haiku, KDE neon upgrades its base |
• Issue 1091 (2024-10-07): Redox OS 0.9.0, Unified package management vs universal package formats, Redox begins RISC-V port, Mint polishes interface, Qubes certifies new laptop |
• Issue 1090 (2024-09-30): Rhino Linux 2024.2, commercial distros with alternative desktops, Valve seeks to improve Wayland performance, HardenedBSD parterns with Protectli, Tails merges with Tor Project, Quantum Leap partners with the FreeBSD Foundation |
• Issue 1089 (2024-09-23): Expirion 6.0, openKylin 2.0, managing configuration files, the future of Linux development, fixing bugs in Haiku, Slackware packages dracut |
• Issue 1088 (2024-09-16): PorteuX 1.6, migrating from Windows 10 to which Linux distro, making NetBSD immutable, AlmaLinux offers hardware certification, Mint updates old APT tools |
• Issue 1087 (2024-09-09): COSMIC desktop, running cron jobs at variable times, UBports highlights new apps, HardenedBSD offers work around for FreeBSD change, Debian considers how to cull old packages, systemd ported to musl |
• Issue 1086 (2024-09-02): Vanilla OS 2, command line tips for simple tasks, FreeBSD receives investment from STF, openSUSE Tumbleweed update can break network connections, Debian refreshes media |
• Issue 1085 (2024-08-26): Nobara 40, OpenMandriva 24.07 "ROME", distros which include source code, FreeBSD publishes quarterly report, Microsoft updates breaks Linux in dual-boot environments |
• Issue 1084 (2024-08-19): Liya 2.0, dual boot with encryption, Haiku introduces performance improvements, Gentoo dropping IA-64, Redcore merges major upgrade |
• Issue 1083 (2024-08-12): TrueNAS 24.04.2 "SCALE", Linux distros for smartphones, Redox OS introduces web server, PipeWire exposes battery drain on Linux, Canonical updates kernel version policy |
• Issue 1082 (2024-08-05): Linux Mint 22, taking snapshots of UFS on FreeBSD, openSUSE updates Tumbleweed and Aeon, Debian creates Tiny QA Tasks, Manjaro testing immutable images |
• Issue 1081 (2024-07-29): SysLinuxOS 12.4, OpenBSD gain hardware acceleration, Slackware changes kernel naming, Mint publishes upgrade instructions |
• Issue 1080 (2024-07-22): Running GNU/Linux on Android with Andronix, protecting network services, Solus dropping AppArmor and Snap, openSUSE Aeon Desktop gaining full disk encryption, SUSE asks openSUSE to change its branding |
• Issue 1079 (2024-07-15): Ubuntu Core 24, hiding files on Linux, Fedora dropping X11 packages on Workstation, Red Hat phasing out GRUB, new OpenSSH vulnerability, FreeBSD speeds up release cycle, UBports testing new first-run wizard |
• Issue 1078 (2024-07-08): Changing init software, server machines running desktop environments, OpenSSH vulnerability patched, Peppermint launches new edition, HardenedBSD updates ports |
• Issue 1077 (2024-07-01): The Unity and Lomiri interfaces, different distros for different tasks, Ubuntu plans to run Wayland on NVIDIA cards, openSUSE updates Leap Micro, Debian releases refreshed media, UBports gaining contact synchronisation, FreeDOS celebrates its 30th anniversary |
• Issue 1076 (2024-06-24): openSUSE 15.6, what makes Linux unique, SUSE Liberty Linux to support CentOS Linux 7, SLE receives 19 years of support, openSUSE testing Leap Micro edition |
• Issue 1075 (2024-06-17): Redox OS, X11 and Wayland on the BSDs, AlmaLinux releases Pi build, Canonical announces RISC-V laptop with Ubuntu, key changes in systemd |
• Issue 1074 (2024-06-10): Endless OS 6.0.0, distros with init diversity, Mint to filter unverified Flatpaks, Debian adds systemd-boot options, Redox adopts COSMIC desktop, OpenSSH gains new security features |
• Issue 1073 (2024-06-03): LXQt 2.0.0, an overview of Linux desktop environments, Canonical partners with Milk-V, openSUSE introduces new features in Aeon Desktop, Fedora mirrors see rise in traffic, Wayland adds OpenBSD support |
• Issue 1072 (2024-05-27): Manjaro 24.0, comparing init software, OpenBSD ports Plasma 6, Arch community debates mirror requirements, ThinOS to upgrade its FreeBSD core |
• Issue 1071 (2024-05-20): Archcraft 2024.04.06, common command line mistakes, ReactOS imports WINE improvements, Haiku makes adjusting themes easier, NetBSD takes a stand against code generated by chatbots |
• Issue 1070 (2024-05-13): Damn Small Linux 2024, hiding kernel messages during boot, Red Hat offers AI edition, new web browser for UBports, Fedora Asahi Remix 40 released, Qubes extends support for version 4.1 |
• Issue 1069 (2024-05-06): Ubuntu 24.04, installing packages in alternative locations, systemd creates sudo alternative, Mint encourages XApps collaboration, FreeBSD publishes quarterly update |
• Issue 1068 (2024-04-29): Fedora 40, transforming one distro into another, Debian elects new Project Leader, Red Hat extends support cycle, Emmabuntus adds accessibility features, Canonical's new security features |
• Issue 1067 (2024-04-22): LocalSend for transferring files, detecting supported CPU architecure levels, new visual design for APT, Fedora and openSUSE working on reproducible builds, LXQt released, AlmaLinux re-adds hardware support |
• Issue 1066 (2024-04-15): Fun projects to do with the Raspberry Pi and PinePhone, installing new software on fixed-release distributions, improving GNOME Terminal performance, Mint testing new repository mirrors, Gentoo becomes a Software In the Public Interest project |
• Issue 1065 (2024-04-08): Dr.Parted Live 24.03, answering questions about the xz exploit, Linux Mint to ship HWE kernel, AlmaLinux patches flaw ahead of upstream Red Hat, Calculate changes release model |
• Issue 1064 (2024-04-01): NixOS 23.11, the status of Hurd, liblzma compromised upstream, FreeBSD Foundation focuses on improving wireless networking, Ubuntu Pro offers 12 years of support |
• Issue 1063 (2024-03-25): Redcore Linux 2401, how slowly can a rolling release update, Debian starts new Project Leader election, Red Hat creating new NVIDIA driver, Snap store hit with more malware |
• Issue 1062 (2024-03-18): KDE neon 20240304, changing file permissions, Canonical turns 20, Pop!_OS creates new software centre, openSUSE packages Plasma 6 |
• Issue 1061 (2024-03-11): Using a PinePhone as a workstation, restarting background services on a schedule, NixBSD ports Nix to FreeBSD, Fedora packaging COSMIC, postmarketOS to adopt systemd, Linux Mint replacing HexChat |
• Issue 1060 (2024-03-04): AV Linux MX-23.1, bootstrapping a network connection, key OpenBSD features, Qubes certifies new hardware, LXQt and Plasma migrate to Qt 6 |
• Issue 1059 (2024-02-26): Warp Terminal, navigating manual pages, malware found in the Snap store, Red Hat considering CPU requirement update, UBports organizes ongoing work |
• Issue 1058 (2024-02-19): Drauger OS 7.6, how much disk space to allocate, System76 prepares to launch COSMIC desktop, UBports changes its version scheme, TrueNAS to offer faster deduplication |
• Issue 1057 (2024-02-12): Adelie Linux 1.0 Beta, rolling release vs fixed for a smoother experience, Debian working on 2038 bug, elementary OS to split applications from base system updates, Fedora announces Atomic Desktops |
• Issue 1056 (2024-02-05): wattOS R13, the various write speeds of ISO writing tools, DSL returns, Mint faces Wayland challenges, HardenedBSD blocks foreign USB devices, Gentoo publishes new repository, Linux distros patch glibc flaw |
• Issue 1055 (2024-01-29): CNIX OS 231204, distributions patching packages the most, Gentoo team presents ongoing work, UBports introduces connectivity and battery improvements, interview with Haiku developer |
• Issue 1054 (2024-01-22): Solus 4.5, comparing dd and cp when writing ISO files, openSUSE plans new major Leap version, XeroLinux shutting down, HardenedBSD changes its build schedule |
• Issue 1053 (2024-01-15): Linux AI voice assistants, some distributions running hotter than others, UBports talks about coming changes, Qubes certifies StarBook laptops, Asahi Linux improves energy savings |
• Issue 1052 (2024-01-08): OpenMandriva Lx 5.0, keeping shell commands running when theterminal closes, Mint upgrades Edge kernel, Vanilla OS plans big changes, Canonical working to make Snap more cross-platform |
• Issue 1051 (2024-01-01): Favourite distros of 2023, reloading shell settings, Asahi Linux releases Fedora remix, Gentoo offers binary packages, openSUSE provides full disk encryption |
• Issue 1050 (2023-12-18): rlxos 2023.11, renaming files and opening terminal windows in specific directories, TrueNAS publishes ZFS fixes, Debian publishes delayed install media, Haiku polishes desktop experience |
• Issue 1049 (2023-12-11): Lernstick 12, alternatives to WINE, openSUSE updates its branding, Mint unveils new features, Lubuntu team plans for 24.04 |
• Issue 1048 (2023-12-04): openSUSE MicroOS, the transition from X11 to Wayland, Red Hat phasing out X11 packages, UBports making mobile development easier |
• Issue 1047 (2023-11-27): GhostBSD 23.10.1, Why Linux uses swap when memory is free, Ubuntu Budgie may benefit from Wayland work in Xfce, early issues with FreeBSD 14.0 |
• Issue 1046 (2023-11-20): Slackel 7.7 "Openbox", restricting CPU usage, Haiku improves font handling and software centre performance, Canonical launches MicroCloud |
• Issue 1045 (2023-11-13): Fedora 39, how to trust software packages, ReactOS booting with UEFI, elementary OS plans to default to Wayland, Mir gaining ability to split work across video cards |
• Full list of all issues |
Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
Random Distribution |
TurnKey Linux
TurnKey Linux is a Debian-based virtual appliance library that integrates some of the best open-source software into ready-to-use solutions. Each virtual appliance is optimised for ease of use and can be deployed in just a few minutes on bare metal, a virtual machine and in the cloud. The growing list of virtual appliances, each of which is available as a CD image or virtual machine image, include Bugzilla, Django, Drupal, File Server, Joomla, LAMP, Magento, Mantis, MediaWiki, MoinMoin, Moodle, MovableType, MySQL, Openbravo, phpBB, PostgreSQL, ProjectPier, Rails, Revision Control, StatusNet, Apache Tomcat, Torrent Server, Trac, TWiki, vtiger, WordPress, Zimra and others.
Status: Active
|
TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|