What makes Linux safer than Windows?

For discussions about security.
Message
Author
RandSec
Posts: 82
Joined: Mon 10 Aug 2009, 18:33
Location: Austin, Texas
Contact:

What makes Linux safer than Windows?

#21 Post by RandSec »

I have been using multisession Puppy 4.12 from DVD, on and off, for about 7 months now. I have a machine with no hard drive and Puppy works great there. My motive is security. After installing Firefox and the various security add-ons, the browsing experience is much like under Windows. But the usual random malware attack probably is going to address the largest group, which is running Windows, not Linux.

Many modern attacks go through the browser instead of the OS. Sometimes this is actual weakness, but normally it is just getting the user to click something, whereupon the malware gets its way. Beyond using Adblock Plus, NoScript, WOT, RequestPolicy and BetterPrivacy add-ons, only so much can be done automatically.

To survive on a machine past reboot, malware must change files used during boot. The potential advantage of the multisession DVD is that malware would have to change the DVD. Naturally, malware can change files in memory, and then those files might be written to the boot DVD at the end of session, but only if the user allowed it, which can be made fairly unusual. Even if malware is saved, the system can be recovered by voiding the last n sessions. And worst case, replacement is just another DVD. We do not lose the entire contents of a massive hard drive when there is no hard drive. But if a hard drive is present, even if unmounted, it probably is at risk.

If we download files, they could have format hacks that subvert the reader or player or viewer, but we can hardly blame Puppy for application faults. If we download programs, they could be Trojans, which is an argument for using an up-to-date antivirus solution in Linux. But even undetected, the Trojans *probably* will target Windows, and so not function on Linux. When something strange happens we do not want to write that session to DVD.

The multisession DVD stuff is great when it works, and I wish it would work better. Sadly, I have never been able to continue to a second DVD automatically; the write always fails. Recently I had some sort of end-of-session update write error coasterize a half-full DVD. That was an unexpected loss of substantial updating and customization, and so actually might have been worse than malware. That caused me to question further use of the multisession mode.

I have tried Puppy on a flash drive, but it did not function as I had hoped. What I want is to put everything into RAM, and then be able to *remove* the flash, just like the DVD can be removed after a boot. But what I got was a warning not to remove mounted drives, including the flash. And, of course, the flash could not be unmounted. This is a problem because I cannot save something to flash to move it to another machine with everything running.

The idea of encrypting a boot flash makes a lot of sense. But it kind of makes me wonder why the general file updates to the DVD are not also encrypted.

Perhaps someone who knows Puppy far better than I do can suggest something for multisession problems or to improve flash boot. Thanks!

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

Re: What makes Linux safer than Windows?

#22 Post by Flash »

RandSec wrote:I have been using multisession Puppy 4.12 from DVD, on and off, for about 7 months now. I have a machine with no hard drive and Puppy works great there. ...

... Sadly, I have never been able to continue to a second DVD automatically; the write always fails.
Barry comes out with a new version of Puppy so often that I never come close to filling up a multisession DVD before I switch to a new version of Puppy. The way I switch to a new version of Puppy may solve your problem. You don't even have to be upgrading to a different version of Puppy for this to work. What I do is, with Burniso2cd, burn a Puppy iso to a DVD then shut down with the newly burned DVD still in the drive. Puppy asks if I want to save. I say yes. Puppy burns the first session, which contains everything from all the sessions of the old DVD. This has the effect of "defragmenting" the old multisession DVD by condensing all the sessions from it into the first session on the newly burned DVD.

Note that if something goes wrong you haven't lost anything from the old DVD. Just boot the old DVD and try again.
... Recently I had some sort of end-of-session update write error coasterize a half-full DVD. That was an unexpected loss of substantial updating and customization, and so actually might have been worse than malware. That caused me to question further use of the multisession mode. ...
You can make a backup of your multisession DVD by periodically doing what I just described. Burniso2cd will burn a Puppy iso to a DVD+RW without having to blank the disk first. I alternate two DVD+RW disks.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69321][color=blue]Puppy Help 101 - an interactive tutorial for Lupu 5.25[/color][/url]

User avatar
drongo
Posts: 374
Joined: Sat 10 Dec 2005, 23:35
Location: UK

Multisession users

#23 Post by drongo »

So there's two of you?

:D

levian
Posts: 34
Joined: Fri 07 Aug 2009, 03:32
Contact:

#24 Post by levian »

droope wrote:Never tried it. Avast on windows does a pretty good job.
agreed. my office pc is using the free edition avast since the very beginning n it is doing well so far too. hehe.

User avatar
drongo
Posts: 374
Joined: Sat 10 Dec 2005, 23:35
Location: UK

Ant-virus working perfectly

#25 Post by drongo »

Err, how do you know? You can tell when your anti-virus catches a nasty and you can tell when you have a false positive. How do you know when it has missed something?

Tin-foil hats all round.

User avatar
Colonel Schell
Posts: 50
Joined: Mon 06 Jul 2009, 22:11
Location: Columbus, Ohio

#26 Post by Colonel Schell »

It's not paranoia if there's really someone out to get you.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#27 Post by Lobster »

It's not paranoia if there's really someone out to get you.
Assume they already got you.
Now what? :lol:
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#28 Post by disciple »

They're not out there to get me. They're out there to get people running Windows 8)
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

User avatar
Colonel Schell
Posts: 50
Joined: Mon 06 Jul 2009, 22:11
Location: Columbus, Ohio

#29 Post by Colonel Schell »

Lobster wrote:
It's not paranoia if there's really someone out to get you.
Assume they already got you.
Now what? :lol:
:shock: I may not sleep tonight.

Thanks. :(

User avatar
alienjeff
Posts: 2265
Joined: Sat 08 Jul 2006, 20:19
Location: Winsted, CT - USA

#30 Post by alienjeff »

Image

Rough translation:

Panel 1: "Why are you bringing up the root-vs-user issue?"

Panel 2: "Because I'm too lazy to use the search feature on Murga's forum to locate and read pre-existing threads on the topic."
[size=84][i]hangout:[/i] ##b0rked on irc.freenode.net
[i]diversion:[/i] [url]http://alienjeff.net[/url] - visit The Fringe
[i]quote:[/i] "The foundation of authority is based upon the consent of the people." - Thomas Hooker[/size]

User avatar
droope
Posts: 801
Joined: Fri 01 Aug 2008, 00:17
Location: Uruguay, Mercedes

Re: Ant-virus working perfectly

#31 Post by droope »

drongo wrote:Err, how do you know? You can tell when your anti-virus catches a nasty and you can tell when you have a false positive. How do you know when it has missed something?

Tin-foil hats all round.
I do my calculations this way:

No bad news = Good news. :)
What seems hard is actually easy, while what looks like impossible is in fact hard.

“Hard things take time to do. Impossible things take a little longer.â€￾ –Percy Cerutty

[url=http://droope.wordpress.com/]Mi blog[/url] (Spanish)

Bruce B

#32 Post by Bruce B »

PaulBx1 wrote:
The system files are really read-only.
So, if you use Puppy as a live-CD, don't mount partitions or USB sticks, don't install it to hard-drive and don't use multi-session you're pretty much invulnerable!
Uh, I must be laboring under a misapprehension. :)

I thought any file was writable, with the new file (in the pupsave) superceding the one on CDROM, via unionfs or aufs. Thus, the only way Puppy can be invulnerable is if you never use the pupsave, and boot "pfix=ram". Or am I missing something?

As to discounting the lack of linux viruses out there "merely" because linux (or BSD) is not as popular; well, it's worked pretty well so far! Better than any anti-virus software. It is an advantage now. When linux hits 30% market share, then you can bring this one up.
Comments on Subjects Discussed

An unmounted partition can be copied bit for bit. It can be erased, formatted and ??

If I were concerned about viruses (malware), I wouldn't use a virus scanner. The reason being is I don't think the signature databases contain much if any Linux signatures.

I would, if I were very concerned, maintain my own md5sum database of files. With the checks looking for changes, new files and deleted files. The report used to alert me to things I might want to look into.

With Linux, files can be set so even root can't modify or delete them. Some of the key files used in traditional root kits can be set immutable and this would make it more difficult to install a traditional root kit.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#33 Post by Lobster »

Using something like this for penetration testing (sounds a bit erotic to me)
http://www.pentoo.ch/
should keep the tin hats happy for a while . . .

Let us know of any vulnerabilities
one or two of us might even care . . . :wink:
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

Bruce B

#34 Post by Bruce B »

Lobster wrote:Using something like this for penetration testing (sounds a bit erotic to me)
http://www.pentoo.ch/
Judging by the scope of things, you might be close. I did read this much at the site.
  • Q: My card is not supported, will you crack my girlfirend account password for me ?

    Probably not, unless you send pics of her first.
Take a little - give a little. Send pix of the eX - they wouldn't care.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#35 Post by Lobster »

So what is it that you Puppy users know that I don't? What makes you confident that you're not likely to get hacked, even running as root? I'd really like to know...
Most of us experienced Windows (security nightmare)
Other distros, so secure you can not even open your own CD drive - bah - humbug. :oops:
Then carefree Puppy usage :D
Carefree I like. :D

We have special tin hatted penguins to do our worrying.
They have been programmed this way (probably by the government) :shock:
Would a honeypot puppy be of use to anybody?
Maybe to our so secret everyone knows about it
black ops Puppy users 8)
http://puppylinux.org/wikka/BlackOps
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
clarf
Posts: 613
Joined: Wed 13 Jun 2007, 19:22
Location: The old Lone Wolf

#36 Post by clarf »

A short answer for the initial question. Windows never was designed with security in mind.

If you read:

http://www.computerworld.com/s/article/ ... geNumber=1

Then you´ll see that Microsoft had released so many security patchs for each Windows versions that you´ll conclude this software quality standards and design are very poor for a secure OS.

It´s true that recently Microsoft redesigned the architecture of Windows and Microsoft have many defense-in-depth improvements in Windows Vista. Even the level of security alerts are fewer than XP:

Image

There are other technologies like Kernel Patch Protection (protects code and critical structures in the Windows kernel from modification), user account control (Microsoft called UAC one of the "most controversial" features of Vista for the thousands of unnecessary prompts fo each system change) and others in the way for Windows 7:

http://windowsteamblog.com/blogs/window ... force.aspx

But those technologies are immature, problematic and the better ones are aimed for Server versions (the expensive line), future releases (x64 architectures) and are not available for end users using standards Windows versions.

That's why Linux which is based on BSD Unix at its heart, are fundamentally safer. Their design were multi-user, networked systems to support Server machines.

clarf

PaulBx1
Posts: 2312
Joined: Sat 17 Jun 2006, 03:11
Location: Wyoming, USA

#37 Post by PaulBx1 »

Perhaps I wasn't clear. If you haven't mounted any partitions you'll have nowhere to save the pupsave file. So if you boot a live-CD as puppy pfix=ram and you have no pupsave, there is nothing writable on the CD to change.
Yes, but who uses Puppy this way? Almost everyone full installs it or uses pupsaves or multisessions. Pfix=ram is a diagnostic function, not the way people work normally. OK, maybe for online banking, it might make sense to put up with the inconvenience, but that would be about it. And that wouldn't protect you from malware that came in during that same session.

Multisession ability to throw away the last sessions does not help you if the malware is quiet. A keylogger for example. You have to KNOW there is a problem, to throw away sessions.

No, I think this claim that Puppy's liveCD nature protects it, is almost completely bogus. The instant unionfs allowed everything to be writable, that evaporated. Even before then, certain directories could harbor malware. But now when you run the "ls" command, who knows what you are really doing?

Maybe we need to make that "tripwire" program a standard feature of Puppy. It would also be nice if we could control the directories that are writable. That is, nothing is writable in e.g. /bin unless we give a go-ahead first. And the directory where tripwire is located is not writable at all (comes only from the CD).

This may be a bit too tinfoil-hat-like for Barry though. :wink:

BTW, if you go look at the release notes for each version of OpenBSD, it's amazing how many vulnerabilities they plug each release, and they have been focusing on security for a very long time. Linus even called them a bunch of masturbating monkeys. :lol: One would think they'd run out of vulnerabilities at some point, but I guess not...

User avatar
drongo
Posts: 374
Joined: Sat 10 Dec 2005, 23:35
Location: UK

pfix=ram

#38 Post by drongo »

Who uses Puppy this way? Well I do, a lot of the time, depending on which machine I am using. I have never done a full or frugal install of Puppy in the five years or so I have been using it.

It always surprises me when people on this Forum claim to know how everyone else uses Puppy. You don't know, I don't know, Barry doesn't know, nobody knows. I have no idea if most people use full, frugal, multi-session or whatever. It started life as a live-CD and that is mostly how I use it. Some machines I use may have a pupsave, but most don't.

I don't know what the rest of you do, I suspect some of the longer-term users still use pfix=ram. But I really don't know, and neither does anybody else.

If I use pfix=ram I don't need the tin-foil hat.

I don't do online banking and probably never will.

User avatar
sikpuppy
Posts: 415
Joined: Sun 29 Mar 2009, 05:54

#39 Post by sikpuppy »

If linux had a unified set of default software and settings, as does Windows, it would be just as insecure (or secure).

Because each installation of Linux differs by at least some degree, unless it's on identical computers, any malware doesn't have much of a chance to propagate beyond that same setup.

I suppose I get a bit tired of people claiming Linux is so secure that it never gets hacked, because in fact it does get hacked, and for the reason I mentioned before. Large corporations and governments who use Linux often have many identical machines, running identical Linux setups. Since they are all up to the same "patch" level for vulnerabilities then it stands to reason that they are all vulnerable.

However, for the average user on a small network this generally isn't an issue, and that is a reason I can see that people feel (for the wrong reasons) that Linux is necessarily more secure than Windows.
ASUS A1000, 800Mhz PIII Coppermine!, 192Mb RAM, 10Gb IBM Travelstar HDD, Build date August 2001.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#40 Post by Sylvander »

1. "I don't do online banking and probably never will."
There's no way I'd be without my online banking; it's just so convenient.
The stuff I can do with it is just SUPERB! [Just like Puppy]

When I went looking for a more secure operating system than Windows, to use for online banking...
A friend suggested I give Puppy Linux a try.
I'd tried a number of Linux distros, and Puppy was the 1st that made we want to stay with it; with the others it seemed to me like pulling teeth just to get the simplest things done.

I'm happy that the techniques I use in conjunction with Puppy provide an adequate level of security.

Post Reply