2 Years With Linux


Recommended Posts

cork1958

I've actually been using Debian since 5-7-13 on 2 of my machines and they haven't screwed themselves up once yet just from a simple update like Ubuntu always has. Won't use that bloated POS ever again and I don't care how "user" friendly it's supposed to be or how great their forums are either.

 

Still can't go 100% Linux though as Linux just isn't my cup of tea mainly due to that command line crap also. Don't have to use it very often, but when I do, it's a total headache. How is anyone supposed to know that crap off the top of their head without searching for what the command is and thus wasting a ton of time?

 

The day they can make it so EVERYTHING has a simple UI for Linux, and not have to dig around to get mp3's, flash and other things to work out of the box, I might think about going 100% Linux, but until then, it's mainly a play thing.

  • Like 1
Link to post
Share on other sites
simplezz

The BASH one has existed since September 1989. That's pretty damning.

That's meaningless. There are probably bugs in Windows code yet to be discovered that have existed since its inception. The same thing can be said about any software. That doesn't mean someone's exploiting or even knows about it. Most are undiscovered. It usually takes someone who knows the code base well, or accidentally runs into it while doing research to actually find something like that.

It's also very easy to exploit if you have any form of local network access (As we've found).

Show me how you'd exploit it then. Describe exact steps. It's not as easy as you think. A system needs specific software and has to perform certain actions for it to even be remotely vulnerable. And even then, most systems were automatically updated a day after it was discovered. Good luck exploiting that.
  • Like 1
Link to post
Share on other sites
Aergan

That's meaningless. There are probably bugs in Windows code yet to be discovered that have existed since its inception. The same thing can be said about any software. That doesn't mean someone's exploiting or even knows about it. Most are undiscovered. It usually takes someone who knows the code base well, or accidentally runs into it while doing research to actually find something like that.

Show me how you'd exploit it then. Describe exact steps. It's not as easy as you think. A system needs specific software and has to perform certain actions for it to even be remotely vulnerable. And even then, most systems were automatically updated a day after it was discovered. Good luck exploiting that.

 

On local networks, just adding a crafted DHCP tag was enough for one generation of our Debian based HP Thinclients. Newer versions of them on Ubuntu 12.04 LTS aren't use BASH to enumerate the DHCP tag options.

 

http://security.stackexchange.com/questions/68877/shellshock-dhcp-exploitation

Link to post
Share on other sites
+InsaneNutter

i think it's true, the more advanced the user is, the less likely he will catch malware and viruses. i think there are a few people on neowin who knows that if you have downloaded or get mailed an .exe file of unknown or dubious source, you better avoid opening it.

but many don't and nearly every day i read threads in the windows section proving me so.

my view is: an OS should be designed secure per default, and while the nsa affair has shown that only a completely offline (internet and power) system is 100% save, still it's a fact that the security architecture of linux and also unix based mac os x win over windows here. many say it's because they both together are on only about 7 or 8% of desktops worldwide, but i think that's only a part of the deal. nearly any server runs linux and most smartphones run android which is linux based as well. not much problems there.

 

 

You read that about Windows because Windows has around 90% of the desktop market share, Linux has around 1.64% (Source)

 

If the market share was reversed you would hear about Linux users downloading malicious deb files or scripts and running them. Linux is not really targeted because it's desktop market share is non existent compared to Windows.

 

The OS doesn't matter, you cant protect a system from an end user with admin / root rights, even if that user has to enter their password to gain elevated privileges... that user will do it, regardless of the OS. That doesn't make either OS more or less secure though.

 

Unless you have a closed ecosystem like iOS or Windows Phone you cant protect the end user from themselves.

  • Like 1
Link to post
Share on other sites
simplezz

Still can't go 100% Linux though as Linux just isn't my cup of tea mainly due to that command line crap also. Don't have to use it very often, but when I do, it's a total headache.

I have people who know nothing about computers, Linux, or the terminal using it on a daily basis without issue. Clearly you're doing something wrong, haven't set it up fully, or you're using the wrong distro.

On the one hand you're complaining that Ubuntu is bloated POS, then on the other saying that more technically demanding distros to setup like Debian are too much work because you have to use the CLI. If you haven't got the patience for building a distro from scratch, then you should be running something like Mint, Fedora, Xubuntu, etc, not Debian.

It really irks me when someone claims that Linux is hard or needs a cli geek to use it. That's complete nonsense and really shows how little you know about the OS you're criticising.

 

How is anyone supposed to know that crap off the top of their head without searching for what the command is and thus wasting a ton of time?

How does someone learn a programming language, a game, any subject in general? By using it of course. It even comes with its own manual (man). There are countless ways to learn it. Windows is no different. How do you ping a server, check a wifi or ethernet connection, find occurrences of a string in a set of files based on a regular expression? By running commands on the Windows console.

However, from your tone I can tell you're not interested in learning how to use bash, or the GNU/Linux utilities. In which case, the aforementioned distros would be better suited to your needs as they don't require knowledge of the cli to setup or use.

 

The day they can make it so EVERYTHING has a simple UI for Linux, and not have to dig around to get mp3's, flash and other things to work out of the box, I might think about going 100% Linux, but until then, it's mainly a play thing.

They already have. In fact there are many distros suited to that task. *buntu's, Fedora, Suse, PCLinuxOS, and many others. All of which require no cli experience to use.

As for mp3, flash, and other common codecs and formats. There's a nice handy little package in *buntu distros called *disto*-restricted-extras available through the App Store GUI. You merely need to type restricted to get the right package in the search. Some distros like mint come with it preinstalled. Personally, I always install MPD (music player daemon) and a front end for it, so that's never a problem for me. And Mplayer takes care of all my video codec needs.

  • Like 1
Link to post
Share on other sites
simplezz

On local networks, just adding a crafted DHCP tag was enough for one generation of our Debian based HP Thinclients. Newer versions of them on Ubuntu 12.04 LTS aren't use BASH to enumerate the DHCP tag options.

 

http://security.stackexchange.com/questions/68877/shellshock-dhcp-exploitation

Precisely. It relies on a DHCP client to run a specific bash command internally or other internet facing services that have that facility. You'd need a compromised DHCP server issuing that response.

I for instance don't run DHCP because I use static addresses. Therefore my machine isn't vulnerable to foreign networks.

Link to post
Share on other sites
Aergan

Precisely. It relies on a DHCP client to run a specific bash command internally or other internet facing services that have that facility. You'd need a compromised DHCP server issuing that response.

I for instance don't run DHCP because I use static addresses. Therefore my machine isn't vulnerable to foreign networks.

 

Consider someone brings in a rogue DHCP box (e.g. Raspberry Pi), plugs it in to the physical network where thinclients are used. It's quite possible for public institutions where not end to end is not always protected / managed.

Link to post
Share on other sites
simplezz

If the market share was reversed you would hear about Linux users downloading malicious deb files or scripts and running them. Linux is not really targeted because it's desktop market share is non existent compared to Windows.

That's false and I can prove it. Look at Android. It has the most malware of any other mobile OS right? Well there's a slight caveat to that. Official Playstore Android devices have virtually none. 99% of it is on third party unregulated asian app stores. So while technically it might have the most malware, the reality is that official devices never see it. Ergo, it's not a problem.

The lesson there is that because users get the majority of their apps from curated stores and peer reviewed repositories, malware is never an issue. It enforces a kind of behaviour. Linux users don't go around randomly downloading executables or running downloaded arbitrary scripts, they get their software from official curated repositories.

As for running random deb files, you do realise that debian installer files only work by default on debian based distros right? My Arch Linux box would balk if you attempted to run a .deb file. As would many others. The heterogeneous nature of GNU/Linux means it's very difficult to infect a large number of systems and therefore isn't a profitable prospect. That's why there's never been any successful malware or virus on it. That and the reliance on repositories for software sourcing.

Even Microsoft knows this and why it's pushing the Windows Store.

 

The OS doesn't matter, you cant protect a system from an end user with admin / root rights, even if that user has to enter their password to gain elevated privileges... that user will do it, regardless of the OS. That doesn't make either OS more or less secure though.

Having to enter a password is more of a barrier than clicking through a button like on Windows. Besides, even if someone did, the likelihood is that said malware wouldn't work due the heterogeneous nature of GNU/Linux. Every distro is unique. Different init systems, filesystem layout, default installed software, package managers, etc. It's very hard to exploit a large number of subtly different distros. Windows on the other hand is mostly homogeneous and an easy target. Not to mention the fact that it's far more likely to be running out-of-date and vulnerable non-system software.
  • Like 1
Link to post
Share on other sites
Alwaysonacoffebreak

Games were bit of a letdown for me also, but after Steam was going the Linux way, I'm like, if I ever get back into gaming, I have an alternative other than Wine.

 

Just because Steam is going Linux doesn't mean all the games work there. Only a hanful will. Mostly Valve games. good luck running any EA or Activision games on Linux.

  • Like 1
Link to post
Share on other sites
simplezz

More BS again. you do know that in the list of discovery to patch readyness, windows is above linux in speed?

Take a look at the zero day exploit numbers and the real world, in the wild attacks occurring. It's all Windows based desktops.
Link to post
Share on other sites
Mindovermaster

Just because Steam is going Linux doesn't mean all the games work there. Only a hanful will. Mostly Valve games. good luck running any EA or Activision games on Linux.

 

When did I ever say every steam game is available? It's "becoming so", not "is". When did I ever say anything about other games?

 

APT is pretty good, but in my experience, Arch and Gentoo have the best package managers. Once you've used Pacman/Yaourt or Portage for a while, you'll wonder how you ever did without them :)

 

Can someone explain this? how is pacman at all better?

Link to post
Share on other sites
Max Norris

Can someone explain this? how is pacman at all better?

For me anyway, it's not so much Pacman but Yaourt.. pulls downloads not only from your set repositories but also from the Arch User Repository, which uses the ABS to build packages that aren't in the repo itself. Very convenient. Although you could say this is also a bit dangerous as well as you're pulling in third party software from outside the repository.
Link to post
Share on other sites
simplezz

Can someone explain this? how is pacman at all better?

In many ways, but here's one:

sudo apt-get update && sudo apt-get upgrade
vs

Pacman: yaourt -Syu
Portage: emerge -u world
Yes, a bash alias can fix that:

alias update='sudo apt-get update && sudo apt-get upgrade'
Still it's just one example. They are just generally easier to use and more functional. Their native installer formats are also much nicer and don't require a separate utility (dkpg) to side load.

Then there's the repositories themselves. Arch's built-in AUR is much nicer than having to adding third party PPA's.

Link to post
Share on other sites
Max Norris

Can someone explain this? how is pacman at all better?

For me anyway, it's not so much Pacman but Yaourt.. pulls downloads not only from your set repositories but also from the Arch User Repository, which uses the ABS to build packages that aren't in the repo itself. Very convenient. Although you could say this is also a bit dangerous as well as you're pulling in third party software from outside the repository.

 

Take a look at the zero day exploit numbers and the real world, in the wild attacks occurring. It's all Windows based desktops.

Seen a few articles showing servers being attacked due to the Bash thing. Also remember seeing some about the zero day Ruby bug turning Rails into a "worm server." It's not all Windows desktops, although yea, that's where the majority of internet users are so it's kind of a given Windows users will be the #1 target.

That's false and I can prove it. Look at Android. It has the most malware of any other mobile OS right? Well there's a slight caveat to that. Official Playstore Android devices have virtually none. 99% of it is on third party unregulated asian app stores. So while technically it might have the most malware, the reality is that official devices never see it. Ergo, it's not a problem.

Until people download from outside the store, which apparently a lot of people do. (Piracy mostly, you can't get away from it.)

 

The lesson there is that because users get the majority of their apps from curated stores and peer reviewed repositories, malware is never an issue. It enforces a kind of behaviour. Linux users don't go around randomly downloading executables or running downloaded arbitrary scripts, they get their software from official curated repositories.

Just set up a new install the other day, had to get a number of packages from outside the repositories, either via a third party repo, downloading source or a deb. It's pretty hard to stay in the official repos if you want to have up-to-date software. (Beyond security fixes of course.)

 

Having to enter a password is more of a barrier than clicking through a button like on Windows.

Basic admin 101. First user is an admin account and shouldn't be used for day to day use. Been that way since forever. Running as a regular user would require admin credentials (IE, a password) just like Linux. But since people are still apparently dumb enough to run programs they receive in email, it's no wonder things like this keep happening.
  • Like 2
Link to post
Share on other sites
simplezz

Very convenient. Although you could say this is also a bit dangerous as well as you're pulling in third party software from outside the repository.

They are peer-reviewable and require a maintainer.
Link to post
Share on other sites
Max Norris

They are peer-reviewable and require a maintainer.

Sure, but you've still got a "lag" from somebody actually finding a problem till it's pulled/fixed/etc. Just look at the Bumblebee fiasco for a good example of how this is dangerous, and that was peer-reviewed too.

Which brings me to an honest side-question from left field, never really looked into it before. In Windows, if I'm downloading "random program x" and don't know if it's safe or just not sure that I want to keep the thing I toss it into a sandbox for testing purposes. When I'm done with it, click bang gone, zero traces left. Is there something like this for Linux without resorting to a VM, cut down on the manual after-the-fact cleanup and all that.. never really much needed it for my server work but considering a desktop and all, would be useful.

Link to post
Share on other sites
simplezz

Which brings me to an honest side-question from left field, never really looked into it before. In Windows, if I'm downloading "random program x" and don't know if it's safe or just not sure that I want to keep the thing I toss it into a sandbox for testing purposes. When I'm done with it, click bang gone, zero traces left. Is there something like this for Linux without resorting to a VM, cut down on the manual after-the-fact cleanup and all that.. never really much needed it for my server work but considering a desktop and all, would be useful.

You could try setting up a testbed chroot. If you ever do a stage 1 Gentoo build or fix a grub, you'll get to know chroot well ;)
Link to post
Share on other sites
Max Norris

You could try setting up a testbed chroot. If you ever do a stage 1 Gentoo build or fix a grub, you'll get to know chroot well ;)

True that, too easy to break out of though, requires root access and it's not "seamless" as you have to specifically copy things into it as it can't work with a virtual file system, not terribly convenient to set up either. Oh well, will have to research that more, don't mind using a VM but a big fan of shortcuts.. if anything Windows has made me lazy.  :rolleyes:

Link to post
Share on other sites
simplezz

True that, too easy to break out of though, requires root access and it's not "seamless" as you have to specifically copy things into it as it can't work with a virtual file system, not terribly convenient to set up either. Oh well, will have to research that more, don't mind using a VM but a big fan of shortcuts.. if anything Windows has made me lazy.  :rolleyes:

Well if you want a true secure sandbox, then SELinux is probably what you're after.

  • Like 1
Link to post
Share on other sites
Max Norris

Well if you want a true secure sandbox, then SELinux is probably what you're after.

Ah ha -- that's more like it, never really looked closely at SELinux, will read up on that thanks.

Link to post
Share on other sites
elenarie

the problem afaik are the windows only users

 

I love your #MasterRace approach.

Link to post
Share on other sites
HawkMan

That's false and I can prove it. Look at Android. It has the most malware of any other mobile OS right? Well there's a slight caveat to that. Official Playstore Android devices have virtually none. 99% of it is on third party unregulated asian app stores. So while technically it might have the most malware, the reality is that official devices never see it. Ergo, it's not a problem.

 

 

I'll translate what you're saying here to not-spin-speak

 

"while you are correct, I'm going to apply a bunch of irrelevant parameters to your statement that amounts to 'no android viruses included' to prove I'm arbitrarily  right anyway"

 

Sorry, that's not how it works. Besides you're wrong. There have been numerous virus and spyware on the official store, I can guarantee you there are quite a few there right now. On top of that, there have been viruses and malware that can do unattended installs or even install undetected over the air either from sms, internet or even BT and WiFi.

  • Like 1
Link to post
Share on other sites
PanzerFury

I switched to Linux completely about 5 years ago, when I was finishing my bachelor's degree on colleague and starting some computational stuff/scripting for work and later for my PhD. Some friends showed me how easy it is to compile code in Linux, so I decided to try. I chose Ubuntu, because it was the hottest distro at that time. At first, it was a bit rough, lots of things were different, software was different, and there were issues with fglrx ATi/AMD drivers (not a problem these days anymore). However, the decision to switch proved to be a success, I started loving features of Linux (omg ->  virtual desktops, terminal, package manager) and my productivity went up. I still left a Win7 partition for gaming exclusively, because Linux was never gaming oriented. These days, with the introduction of Steam and GOG, things are improving, but there is still a long way to go to be on pair with Windows regarding gaming.

 

Later we [my family] decided to homogenize our software and switch from XP/Vista machines to Linux. I organized a step-by-step plan, first open-source software (Open/LibreOffice, Thunderbird, Firefox, etc), subsequently total switch to Lubuntu 10.x about 4 years ago.This was the closest to XP feel as you can get. However, nobody was really satisfied with Lubuntu (it's not as feature rich as XP/Unity/Gnome), so I took a bold step and installed Ubuntu 11.04 with Unity desktop environment. At first, I was a bit worried, because it is really different compared to standard window-environment, but to my surprise, everyone picked up Unity almost instantly. I prepared for long introduction, but in fact wasn't really necessary. Ubuntu with Unity was a great success. Now everyone in my household is running Ubuntu 14.04 LTS (5 machines + my workstation) and everyone is happy. Not to say there is almost zero maintenance required for me ... no antivirus,  windows updates, manual upgrade of browsers, office suites.... just remote connection to ssh and apt-get dist-upgrade every 6 months and  reinstallation of LTS every 2 years. It really can't get any more simple than this [fore casual home environment].

 

I am now using Fedora 20 with GNOME3 and I really like it. It is a perfect blend of software for me, and GNOME3 proved to be a marvelous environment, *AFTER* I took a leap of faith and learned how to use desktop environment from scratch. Fundamentals are quite different to what we were used to since DOS era, but once you get a hang of it, it really is a step forward.

  • Like 3
Link to post
Share on other sites
adrynalyne

it has also proven that the linux community has an awesome pace in fixing bugs. the patch for the systems was out there the same or next day afair while in the lastest hack from russian hackers to NATO windows systems (read here) it was again waiting for super patch tuesday to get anything done.

Awesome pace?

 

Do you know how long those bugs existed before being fixed?

  • Like 1
Link to post
Share on other sites
adrynalyne

That's false and I can prove it. Look at Android. It has the most malware of any other mobile OS right? Well there's a slight caveat to that. Official Playstore Android devices have virtually none. 99% of it is on third party unregulated asian app stores. So while technically it might have the most malware, the reality is that official devices never see it. Ergo, it's not a problem.

The lesson there is that because users get the majority of their apps from curated stores and peer reviewed repositories, malware is never an issue. It enforces a kind of behaviour. Linux users don't go around randomly downloading executables or running downloaded arbitrary scripts, they get their software from official curated repositories.

As for running random deb files, you do realise that debian installer files only work by default on debian based distros right? My Arch Linux box would balk if you attempted to run a .deb file. As would many others. The heterogeneous nature of GNU/Linux means it's very difficult to infect a large number of systems and therefore isn't a profitable prospect. That's why there's never been any successful malware or virus on it. That and the reliance on repositories for software sourcing.

Even Microsoft knows this and why it's pushing the Windows Store.

 

Having to enter a password is more of a barrier than clicking through a button like on Windows. Besides, even if someone did, the likelihood is that said malware wouldn't work due the heterogeneous nature of GNU/Linux. Every distro is unique. Different init systems, filesystem layout, default installed software, package managers, etc. It's very hard to exploit a large number of subtly different distros. Windows on the other hand is mostly homogeneous and an easy target. Not to mention the fact that it's far more likely to be running out-of-date and vulnerable non-system software.

First, most GNU portions in android are not there, or completely disabled.  The OS runs off a java framework and uses Java apps.  It does have a Linux kernel though, but just like most exploits out there for Windows, they aren't kernel level.  Second, unlike GNU/Linux, you cannot install apps that require root access to run.  Apps without root access cannot even install on the System partition because it is read only.  By default, side loaded apps are disabled.  Android 5.0 will be encrypting the OS and data by default.  Basically you are in a very limited environment on what you can do and install, and if you subject that to any OS, it becomes quite a bit more secure.

 

Then there is this that still is not patched...

 

http://it-beta.slashdot.org/story/13/07/08/2256256/code-released-to-exploit-android-app-signature-vulnerability

 

I wouldn't say Android is proof that Linux is more secure...

 

Well there's a slight caveat to that. Official Playstore Android devices have virtually none. 99% of it is on third party unregulated asian app stores. So while technically it might have the most malware, the reality is that official devices never see it. Ergo, it's not a problem.

 

The choice of not sideloading software from outside channels falls under safe computing.  It is not a sign that the OS is more secure. 

That's meaningless. There are probably bugs in Windows code yet to be discovered that have existed since its inception. The same thing can be said about any software. That doesn't mean someone's exploiting or even knows about it. Most are undiscovered. It usually takes someone who knows the code base well, or accidentally runs into it while doing research to actually find something like that.

 

So it only matters if it has been discovered?  Hence we have gone full circle back to, popularity makes an OS a target.  People aren't looking for exploits in GNU/Linux like Windows.

 

An undiscovered exploit and a discovered one have something in common: They are both exploits.  So no, they were not patched fast. I think you confuse published with discovered.  It was recently published and quickly fixed.  God knows how long it is has been used and people kept it under wraps.

 

Using your logic, every time a new version of Windows comes out, it is the most secure OS in existence, because the exploits are not yet discovered.  People crucify MS all the time for exploits that may be recently discovered, but have existed for years.  I guess that is ok for GNU/Linux though?  Nice double standard going on here.

  • Like 1
Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.