On Wed, Dec 02, 2009 at 02:48:09PM +0000, Michal wrote: > If you think your safe because you run Linux then please step away from > computers. ... Yes, but with qualifications. The problem with Windows has been, and generally is, that the user usually runs with elevated privileges--compromise that user, you compromise the entire OS. Microsoft tried (clumsily) to batten down that hatch with Vista--got fried for it (among many other shortcomings), and with Windows 7 has loosened security again, to the point the problem is back. Linux (or Unix) isn't immune to any program that a cracker can get you to run (Trojans). What it *is* generally immune to is system-wide corruption of the OS, since privilege separation is native to the OS model. That is, if you only run as user 'foobar', and are tricked into running a trojan, YOU, as user foobar, are infested. If security is properly configured, you can't modify general OS files. Now, there are caveats all OVER the place. First, there are almost certainly people out there who run as root. All bets are off in that case--they get compromised, the box is compromised. Secondly, once you (as the bad guy) get a user to run something for you, you can start poking at the system itself. In this case, you're looking for a flaw in the system security itself--either misconfiguration, or an actual hole in some program or service that a normal user can run or use. Much harder than Windows, but such flaws have been encountered in the past. Failure on the user's part to maintain updates helps this kind of attack; the probability of a zero-day or longer term unknown flaw is low, and the Linux developer community is very responsive to repairing security-related bugs as they're discovered. SO--Linux provides a deeper level of protection through integral privilege separation than Windows. While no OS is unbreakable, the barrier IS higher for Linux. You can help it--run as an unpriviliged user except when necessary. Don't put in hacks that make it easy to elevate to root without a password. Maintain your updates. Cheers, -- Dave Ihnat dihnat@xxxxxxxxxx -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
