Qns on linux security frm windows users :::Help !!! - Security

This is a discussion on Qns on linux security frm windows users :::Help !!! - Security ; hi, I've been using linux for a long time and have been trying to *popularize* it. But can anyone help me with some qns which windows users asked me...??? 1. Since the source is open, cant people introduce trojans and ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Qns on linux security frm windows users :::Help !!!

  1. Qns on linux security frm windows users :::Help !!!

    hi,

    I've been using linux for a long time and have been trying to *popularize*
    it. But can anyone help me with some qns which windows users asked me...???

    1. Since the source is open, cant people introduce trojans and spywares in
    the main source code itself, taking away our personal info ? (i'm not saying
    windows doesnt have such codes)

    2. Is ther any other feature which protects itself frm viruses other than
    the denial of the execution permission ? (not talking about 3rd party
    antiviruses)

    3. Since the *making* of the linux apps involves the open source community
    as a whole, how can they follow a good well defined process to generate a
    *good* code ? which can lead to security holes and other problems ?

    Thanks in advance....




  2. Re: Qns on linux security frm windows users :::Help !!!

    On 08.09.2006, Arvin wrote:
    > hi,
    >
    > I've been using linux for a long time and have been trying to *popularize*
    > it.


    I doubt that you use Linux. -> User-Agent.

    > But can anyone help me with some qns which windows users asked me...???
    >
    > 1. Since the source is open, cant people introduce trojans and spywares in
    > the main source code itself, taking away our personal info ? (i'm not saying
    > windows doesnt have such codes)


    Try guessing.

    > 2. Is ther any other feature which protects itself frm viruses other than
    > the denial of the execution permission ? (not talking about 3rd party

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    > antiviruses)


    WTF?

    > 3. Since the *making* of the linux apps involves the open source community

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    > as a whole,

    ^^^^^^^^^^

    What do you mean?

    > how can they follow a good well defined process to generate a
    > *good* code ? which can lead to security holes and other problems ?


    --
    Niektórzy lubi± dozziego...
    Oczywi¶cie szanujemy ich.
    Stanislaw Klekot

  3. Re: Qns on linux security frm windows users :::Help !!!

    On Fri, 8 Sep 2006 17:10:20 +0530, Arvin wrote:
    >
    > 2. Is ther any other feature which protects itself frm viruses other than
    > the denial of the execution permission ? (not talking about 3rd party
    > antiviruses)


    Linux development is driven by technical people, who will nix
    any proposal that damages security. Windows development is driven
    by marketing people, who will throw security overboard if doing
    so will let businessmen put dancing pigs in their PowerPoint
    presentations.

    In 2000, my coworker Josh discussed some problem at great length
    with Microsoft support people. When Microsoft suggested "solving"
    the problem by simply always running with administrator privileges,
    Josh asked about situations where you don't want everybody running
    with administrator privileges. The response was, "What sort of
    situations are those? Everybody here always runs with admin
    privileges."

    > 3. Since the *making* of the linux apps involves the open source community
    > as a whole, how can they follow a good well defined process to generate a
    > *good* code ? which can lead to security holes and other problems ?


    Unfortunately, it seems that most of the open-source community
    believes in "self-documenting code". I've even encountered the
    claim that comments are bad because they can get out of date
    and mislead the reader, whereas studying the code can only lead
    to true enlightenment. I wonder whether the people who say
    this use descriptive variable names, which might be misleading.
    In any event, it saves the trouble of testing: if the only
    statement of what a subroutine should do is the code itself,
    then every compilable subroutine is ipso facto correct.

    On the other hand, I've never seen any Microsoft source code.

  4. Re: Qns on linux security frm windows users :::Help !!!

    Arvin wrote:
    > I've been using linux for a long time and have been trying to *popularize*
    > it. But can anyone help me with some qns which windows users asked me...???
    >
    > 1. Since the source is open, cant people introduce trojans and spywares in
    > the main source code itself, taking away our personal info ? (i'm not saying
    > windows doesnt have such codes)


    The source is open in the sense that anybody can read it. But any specific
    distribution package of the code has to be made by somebody, and that
    person or group serves as gatekeeper, deciding what changes will be
    incorporated and what will not. For the kernel, Linus Torvalds had that
    function by himself for a number of years; now it is essentially done by
    a small group. But if a distribution--the actual packages people install--
    acquires a reputation for instability, it will disappear quickly.

    So the short answer is that "open source" doesn't mean anybody gets to
    change the software that everybody else uses. It means lots of people
    are able to review and discuss openly what does change.

    > 2. Is ther any other feature which protects itself frm viruses other than
    > the denial of the execution permission ? (not talking about 3rd party
    > antiviruses)


    I don't think Linux has special antivirus capabilities, but the
    general UNIX model of not running with more privileges than necessary,
    which are very slowly becoming the norm in Windows systems, have
    helped Linux a lot. Still, if you run a Linux desktop system as root,
    you're asking for trouble. But most Linux users simply don't.

    Much of the early vulnerabilities of both UNIX and Windows came from
    applications trusting each others' data too much. Both systems have
    changed a lot since the early 1990s, and the biggest changes have been
    in checking carefully the data that are exchanged.

    > 3. Since the *making* of the linux apps involves the open source community
    > as a whole, how can they follow a good well defined process to generate a
    > *good* code ? which can lead to security holes and other problems ?



    Widespread code review and actual use is better than any methodological system.
    Cheaper, too. Moreover, there's nothing to prevent Linux developers from
    using a systematic process to develop code.


    Peter
    --
    Peter N. Schweitzer (MS 954, U.S. Geological Survey, Reston, VA 20192)
    (703) 648-6533 FAX: (703) 648-6252 email: pschweitzer@usgs.gov


  5. Re: Qns on linux security frm windows users :::Help !!!

    In comp.os.linux.security Arvin :
    > hi,


    > I've been using linux for a long time and have been trying to *popularize*


    Sure:
    X-Newsreader: Microsoft Outlook Express 6.00.2800.1807

    > it. But can anyone help me with some qns which windows users asked me...???


    > 1. Since the source is open, cant people introduce trojans and spywares in
    > the main source code itself, taking away our personal info ? (i'm not saying
    > windows doesnt have such codes)


    How long would it take for someone to find out? How would they
    get it into the code? Usually only a few people who know each
    other have write permission to some project source tree. Any one
    else submits his patch to the maintainers.

    The kernel source itself uses a system since some time all
    patches have to be signed by some core developer. But the reason
    for it has nothing to do with virus.

    > 2. Is ther any other feature which protects itself frm viruses other than
    > the denial of the execution permission ? (not talking about 3rd party
    > antiviruses)


    No *nix MTA will execute some binary, you have to save it, change
    permissions and execute it.

    Users with a little brain who don't run their systems as root and
    don't take the steps to execute something that came per mail from
    unknown source, just because it promised spectacular view on some
    giant breasts or so...

    > 3. Since the *making* of the linux apps involves the open source community
    > as a whole, how can they follow a good well defined process to generate a
    > *good* code ? which can lead to security holes and other problems ?


    Sorry, makes not much sense to me.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 389: /dev/clue was linked to /dev/null

  6. Re: Qns on linux security frm windows users :::Help !!!

    Peter Pearson wrote:

    > Unfortunately, it seems that most of the open-source community
    > believes in "self-documenting code". I've even encountered the
    > claim that comments are bad because they can get out of date
    > and mislead the reader, whereas studying the code can only lead
    > to true enlightenment. I wonder whether the people who say
    > this use descriptive variable names, which might be misleading.
    > In any event, it saves the trouble of testing: if the only
    > statement of what a subroutine should do is the code itself,
    > then every compilable subroutine is ipso facto correct.
    >
    > On the other hand, I've never seen any Microsoft source code.

    Oh boy, Microsoft source code is fully commented and easy to understand
    -- NOT!
    Actually, most of the Linux code I have looked at is pretty well
    commented. After all one does not need to add a comment to code like this:
    int a = 5; // set a to five
    This is indeed self commenting. If one needs a comment it might by why
    five? A is an iterator and for xxxx reason we need to do the loop five
    times because xxxx. Comments should describe the algorithm not the code
    (IMHO).
    --
    ----------------
    Barton L. Phillips
    Applied Technology Resources, Inc.
    Tel: (818)652-9850
    Web: http://www.applitec.com

  7. Re: Qns on linux security frm windows users :::Help !!!

    Arvin wrote:
    > hi,
    >
    > I've been using linux for a long time and have been trying to *popularize*
    > it. But can anyone help me with some qns which windows users asked me...???
    >
    > 1. Since the source is open, cant people introduce trojans and spywares in
    > the main source code itself, taking away our personal info ? (i'm not saying
    > windows doesnt have such codes)


    Ask your Windows friends to try and actually introduce one of those
    trojans in the Fedora or Ubuntu or Suse or Debian distribution that
    *I* use ... Or in Firefox, etc. etc.

    Or ask them this: given that everyone has access to the Windows
    binary code, can't people modify those executables or the embedded
    strings, etc., to introduce Trojans and spyware?? (Hint: a
    *minimally skilled* hacker could modify the binaries at will to
    make them do whatever he/she wants them to do. The thing is,
    can that hacker modify the binary version of Windows that *you*
    run on *your* machine??

    For additional enlightment on the issue of open vs. closed source
    on security, check out:

    http://www.dwheeler.com/secure-progr...-security.html

    (if your newsreader splits the above link into two lines, put it
    together with copy-n-past, or simply type it in the address bar
    of your Internet Explorer -- which I assume is what you use)


    HTH,

    Carlos
    --

  8. Re: Qns on linux security frm windows users :::Help !!!


    Arvin wrote:
    > hi,
    >
    > I've been using linux for a long time and have been trying to *popularize*
    > it. But can anyone help me with some qns which windows users asked me...???
    >


    Honestly, these questions make you sound like a troll, but I'll bite
    anyhow, and give you my own take on these questions.

    > 1. Since the source is open, cant people introduce trojans and spywares in
    > the main source code itself, taking away our personal info ? (i'm not saying
    > windows doesnt have such codes)
    >


    Okay, some programmer somewhere writes a nifty little program. Doesn't
    really matter what it does, let's just call it Foo Deluxe. He writes
    it as an Open Source project under the GPL. Anybody can see the source
    code for it. He's still the only one who can publish source code in
    his repositories, but anybody can look at it. One day, the programmer
    decides to turn to the dark side and make his program steal personal
    information. The next day, a bunch of people see the new changes to
    the source code, and warn everybody not to use the program anymore.
    Somebody forks the project from the last non-evil version and everybody
    continues using the safe version, which gets packaged in all the
    distributions. Maybe somebody also writes a completely brand new
    replacement which is fully compatible, because they can see implicit
    documentation for all the file formats used.

    Just because the source code is available doesn't mean that they let
    just anybody have write permissions to the official source code
    repositories. If you are getting your versions of Open Source software
    from some disreputable third party, then they could mess with the
    software as easily as a disreputable distributor of closed source
    software.

    The alternate case is that some programmer makes Bar Deluxe as a closed
    source program, distributing only binaries. (The way most Windows
    applications are developed.) It becomes popular, just like Foo Deluxe,
    and this programmer also decides to turn evil. He makes it steal all
    sorts of personal information. People continue using it, because
    nobody can see all the source. Six months later, somebody discovers
    the security problem. Because there is no way the fork the closed
    source program, people continue using the evil version Bar Deluxe until
    somebody writes a completely new replacement from scratch. The
    replacement is only partly successful because Bar Deluxe used some
    proprietary file format that hasn't yet been reverse engineered and
    users don't want to lose their old data. A year after the discovery of
    the privacy problems, half of the users are still stuck using the evil
    Bar Deluxe.

    > 2. Is ther any other feature which protects itself frm viruses other than
    > the denial of the execution permission ? (not talking about 3rd party
    > antiviruses)
    >


    Just good design. Viruses are almost never an issue on modern *nix
    platforms. If a bug is found that would allow some potential security
    vulnerability, it can get fixed very very quickly. Because users
    generally never run with full administrative priveliges, any bad
    software a user might run on a *nix machine generally can't do any
    serious damage to the machine. Yes, it could delete some of the user's
    files, but there is no way to prevent the user from running an
    untrusted program that deletes their own files.

    > 3. Since the *making* of the linux apps involves the open source community
    > as a whole, how can they follow a good well defined process to generate a
    > *good* code ? which can lead to security holes and other problems ?
    >
    > Thanks in advance....


    Ummm? This doesn't make any sense at all. How can a factory which has
    wide open windows follow good safety practices while making widgets?
    Wouldn't a factory with no windows so that nobody can look in and see
    how things are done be safer? That's obviously wrong. A factory is
    much more likely to follow good safety practices if anybody walking by
    can see what they are doing.

    Likewise, a closed source software project is likely to have sloppy
    standards and practices, because nobody will ever know. Open source
    software *needs* really well defined standards for how to do things
    because if they didn't, nothing would ever get accomplished.

    Look at it this way... From time to time, a software company will
    announce that they are going to open source an existing software
    project. The first announcement is very seldom "here is the code."
    The first announcement is usually "we will be cleaning up the code for
    the next six months, and then we will let you all look at it." That's
    because Open Source has such high standards that most companies would
    be embarrassed if anybody actually saw their proprietary code.
    Seriously. I've been on both sides of closed / open source
    development. In a closed source situation, it doesn't matter how ugly
    something is because the customer will never know why it works so
    poorly. You can just blame some incompatible hardware or something if
    it doesn't work right on their system.

    And, even if we assume that all open source code starts out really bad.
    (Which is a stupid thing to assume, but we can do it for the sake of
    argument.) Well, then anybody can see the code. So, anybody can
    submit a patch to clean it up. The maintainers would have to *actively
    want* the code to be bad if they turn down all the patches to clean it
    up. And, even if that did hapen (which it almost certainly wouldn't),
    the people who want to submit patches to clean up the quality of the
    code can just make their own little fork of the project, and everybody
    will start to use the cleaned up fork instead of the original. So,
    even if we assume all sorts of bad but really unlikely things, the open
    source process will still result in the code being cleaned up.


  9. Re: Qns on linux security frm windows users :::Help !!!

    "forkazoo" wrote in message
    news:1158172661.731428.191860@p79g2000cwp.googlegr oups.com

    > ...
    > So, even if we assume all sorts of bad but really unlikely things,
    > the open source process will still result in the code being cleaned
    > up.


    "Post of the Year Award" candidate IMHO.

  10. Re: Qns on linux security frm windows users :::Help !!!

    forkazoo wrote:

    > If you are getting your versions of Open Source software
    > from some disreputable third party, then they could mess with the
    > software as easily as a disreputable distributor of closed source
    > software.


    Actually, no.

    Good heavens know what could we be victims of when we use
    closed source applications!! With open source, everything
    the applications do is publicly available, so they can't
    really mess with your machine or your data as easily as
    a disreputable closed source distributor could.

    Carlos
    --

+ Reply to Thread