[vox-tech] Ubuntu Security Software

Rick Moen rick at linuxmafia.com
Sat Aug 16 01:59:51 PDT 2008 

Quoting Steve Weiss (stevew at bbenginc.com):

> I've been following the fascinating "Verify Ubuntu files" discussion
> and can see how complex an issue system security is. But my question
> is, what do you recommend a newbie like me do for security? 

Well, what Richard Crawford said was pretty good advice.  You could keep
it simple and stop there.

I could add qualifiers, cautions, and quibbles -- and I might do so
below -- but, as a two-paragraph summary, Richard's post works well
enough.

(And I very much applaud Bill Broadley's listed of bulleted items.
Listen to that man.)


Just for conversation's sake, let's assume we don't want to stop there.

> I've been running Ubuntu on my laptop since an Installfest last Fall,
> but haven't found the time to learn much about its innards yet.  When
> I asked Chris and Alex this at the time, they both shrugged their
> shoulders and said basically don't click any links you don't trust...

I think having to fear hyperlinks is a bit silly.  More below.

> ...and that Linux doesn't get much hacker attention.

This strikes me, reading the statement the way I _think_ you mean it, as
clearly untrue.  (It may or may not be very much like what Chris and
Alex told you.  I wasn't there.)  If nothing else, ask yourself:  Does
that pass the test of common sense?  Wouldn't these guys be extremely
eager for the lasting fame that would result from breaking into a
massive number of Linux systems?

> Neither recommended running any kind of security suite for Linux.

No offence intended, but the whole notion of a "security suite" has
always struck me as self-defeating.  I guess I'm going to have to
elaborate on that, too.

> I find this approach a little scary after many years using various
> Windows security suites and discussions like yours.  

Well, the trick is to know what warrants concern, what is unlikely but
conceivable, and what's a bunch of hooey.  You'll encounter all of
those, all of them claiming to be real.  If you want to learn how to
better distinguish good security-related information from bad, there are
a number of places to start.  One starting point is the concept of a
"threat model", and the other is the taxonomy of attacks (denial of
service, privilege escalation, remote vs. local exploit, bug that might
have security implications but has no known exploit at present vs. bug
that has current exploits but only for extremely rare and improbable
configurations vs. bug that is already an exploitable threat to
everyone, etc.).

> And "trust" is a relative thing.

Indeed -- though maybe not in the way you mean:  It is very much a
context-dependent term.  So, you have to grasp the context, or else it's
just a word.

> What would you all recommend for new users? 

Well, it depends on your level of interest, and your level of concern.

You personally were interested enough to ask, so I'm assuming you're 
curious enough to plow through a certain amount of security neepery.
But on the other hand, you also wrote something suggesting (maybe?)
limited interest:

> Are there good virus/firewall/spyware packages for Ubuntu that are
> reasonably automated?

Security author Bruce Schneier has a famous saying:  "Security is a
process, not a product."  As an aside, if you're actually curious about
security, you could do a lot worse than reading some of what Schneier
and his industry colleague Marcus J. Ranum have written.

http://www.schneier.com/blog/   Schneier's weblog
http://www.schneier.com/crypto-gram.htm   Crypto-Gram (monthly)
http://www.ranum.com/security/computer_security/editorials/  
                             Some of Marcus Ranum's writings

They're both worth listening to.  They also have famously failed to
agree, many times in the past.  I _personally_ have generally found
Ranum's views to have more merit in those cases of dissention, but 
you should judge for yourself.  (They've done a number of paired
point/counterpoint columns.)


Meme #1:  Software doesn't run itself.

Where to start?  I think I'll start with a 1980s anecdote, when I was
half the IT department at a database software company.  On my desk were:

o  a Mac IIci running MacOS 7.1.
o  a junky old x86 box running Windows for Workgroups 3.11

Corporate policy was to run some cruddy antivirus thing du jour.  It
might have been McAfee VirusScan.  Based on what I _thought_ I'd figured
out about real-world computer security, after a couple of years of
dealing with other people's problems, I made a slightly gutsy move:  I
disabled VirusScan and all of its kin.

I had a theory I wanted to try out, that:

0.  Malware doesn't run itself.
1.  I could avoid malware through the astonishingly simple expedient of
    just not running it.
    a) Don't run code you don't have good reason to trust and 
       explicitly _wish_ to run.
    b) Eschew badly designed software that shows any inclination
       to run software on my behalf without my explicit say-so.
2.  In the event of my doing something really stupid that caused me
    to "infect" my system, I should be able to spot that through 
    the nature of the resulting damage.  (I had seen a variety of
    such damage to other people's systems.)
3.  Malware doesn't even rate as a source of damage to the system, 
    relative to the user himself/herself.  Which is why the Good Lord
    created backups, master reinstallation CDs, etc.  (Remember, on 
    those two OSes, I wielded root authority _all the time_.)

It worked great.  My systems were more stable, performed a lot better,
and I had zero problems.  Of course, it helped that I'd made a
determined effort to understand how and when users ended up running
code, e.g., I had changed my BIOS's boot order so that the "A:" drive
was never branched to at boot time by default, and thereby eliminated
the entire category of x86[1] boot-sector viruses.

You want to improve your ability to understand security issues by orders
of magnitude?  Study up on how your Ubuntu box boots (the whole boot
chain), and how processes start and die.


Meme #2:  Don't avoid "clicking on links you don't trust"; understand
what does and doesn't happen when you "click on a link".

The MS-Windows world has made popular the notion of "dangerous sites",
and the concept of fearing "opening attachments", and so on.  Wrong.
Dumb.  Ask yourself what happens when you "open" an attachment received
in e-mail.  If you aren't sure, then _there_ is your problem.

Back in the day, I made sure I was using an MUA that dealt with
attachments sanely (Eudora) and a Web browser that didn't have too many
bad habits, and in general made a point of making sure *I* was the guy
deciding when to run (or not run) a program -- and then assumed
responsibility for running only what I felt like taking a chance on, 
and also for cleaning up any mishaps.  (Malware was hardly the only
threat to one's data.  User error, buggy software, and hardware failure 
frankly were and are all bigger threats.)

I'll probably come back to this matter, but that's more than enough for
now.

[1] MacOS floppies by contrast had the somewhat troubling feature that
some code on them got automatically executed the moment they were
inserted and mounted, as was not the case with floppies on
MS-DOS/MS-Windows, OS/2, or *ixes for x86.  Accordingly that floppy code
was itself a vector for MacOS malware, even if you never attempted to
boot from those discs.


Meme #3:  Throwing more software at a security problem is almost always
charging full-speed in the wrong direction.

More information about the vox-tech mailing list