Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security of Ubuntu, it's Flavors, and Solus OS


  • Please log in to reply
15 replies to this topic

#1 brijeshio

brijeshio

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 PM

Posted 04 September 2017 - 05:28 AM

I recently moved on to Ubuntu since it's open source, linux based and faster. But then I thought to myself:
 
Question 1: Are open source OS's like Ubuntu, it's flavors, and Solus OS safe to use?
 
Question 2: Are they tested by security experts? Has a real security expert or firm ever gone through the whole source code and tested it for vulnerabilities?
 
Question 3: Have the results been publicly published?
 
Question 4: Are there security experts who vouch for them being safe to use?
 
Question 5: Which one is safest: Ubuntu, Kubuntu, Ubuntu Mate, Xubuntu, or Solus OS?
 
Ubuntu, it's Flavors and Solus OS
 
The developers will always call their OS secure. My question here is whether there are any security experts or security houses taking responsibility to check them for security on a time to time basis.
 
Considering that there's a very large community around Ubuntu, just like WordPress, security bugs may always get known easily and fixed. But what about it's flavors? This is where it gets a bit questionable. And specifically, the Solus OS which has been written from scratch.
 
Regards,
Brijesh
 
PS. This is my first post here.  :)


BC AdBot (Login to Remove)

 


#2 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,854 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:12 PM

Posted 04 September 2017 - 05:58 AM

Linux security is a myth for the most part.
 

Considering that there's a very large community around Ubuntu, just like WordPress, security bugs may always get known easily and fixed. But what about it's flavors?

Distros like Kubuntu Xbuntu Ubuntu mate all get their updates and patches from Ubuntu. All these Buntu distros are basically Ubuntu with a different desktop environment and some tweaks. 
 
No operating system is 100% secure, the only reason Linux is considered secure is because Windows exe's cant run in Linux and there isnt much profit in creating Linux malware, also most Linux users are a bit more PC savy than their Windows counterparts. We dont for example just open attachments in email and because of the repos we don’t need to download dodgy software from some site.


Ps

Hi and welcome

Edited by NickAu, 04 September 2017 - 06:45 AM.
Add PS


#3 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:12 AM

Posted 04 September 2017 - 07:18 AM

Linux per se, is no more, and no less secure than any other operating system.

 

All operating systems can be exploited, because they all contain code which was written by people, and on average they reckon that a person will make at least one error for every 1000 lines of code they write.

 

Since there are 100s of millions of lines of code in the typical OS, then that means there are 100s of thousands of "potentially" exploitable code lines.

 

What determines whether they actually get exploited is ....

 

  • the pay off for the exploiter (how many people will he be able to target and therefore profit from)
  • the length of time an exploit is likely to remain unpatched once it is discovered

 

Since Linux has a very small market share, when compared to the other mainline OSs, it has traditionally not been targeted by the majority of Malware writers, since the pay off has not been considered to be worth the effort. Whether that remains the case in future is impossible to determine.

 

In any case, having "professional" security people look at an OS, has never made any other OS secure, as can be seen by the fact that Windows is still heavily exploited, and over the years, that OS has had innumerable security audits and improvements.

 

The major determining factor, when looking at whether someone's machine gets exploited or not, is their browsing habits, not their OS, and not which security products they use. A careless User will pick up infections on even the most tied down system, whereas a careful one can often remain uninfected, even with an open one.



#4 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:03:12 AM

Posted 04 September 2017 - 06:39 PM

Well to be clear no OS is bulletproof, however I will say linux security is still fairly good.

There is no adware, spyware, or viruses on linux but browser hijacks can happen and linux is not fully immune to security issues.

Really though the only way to be 100% safe is to lock your computer in a room protected by a Faraday cage disconnected from the internet and the door made of solid steel with a complicated lock system ion the level of Fort knox.

But I will say Ubuntu and its varients are still very good, for a newcomer to linux however I suggest linux mint due to its windows like interface and general ease of use and is based on the ubuntu family.


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

8spxh0-6.png


#5 pcpunk

pcpunk

  • Members
  • 6,350 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:12 AM

Posted 04 September 2017 - 07:40 PM

Really though the only way to be 100% safe is to lock your computer in a room protected by a Faraday cage disconnected from the internet and the door made of solid steel with a complicated lock system on the level of Fort knox.

I think this is what I'll do tonight! LOL!


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#6 brijeshio

brijeshio
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:42 PM

Posted 05 September 2017 - 03:50 AM

Linux security is a myth for the most part.
 

Considering that there's a very large community around Ubuntu, just like WordPress, security bugs may always get known easily and fixed. But what about it's flavors?

Distros like Kubuntu Xbuntu Ubuntu mate all get their updates and patches from Ubuntu. All these Buntu distros are basically Ubuntu with a different desktop environment and some tweaks. 
 
No operating system is 100% secure, the only reason Linux is considered secure is because Windows exe's cant run in Linux and there isnt much profit in creating Linux malware, also most Linux users are a bit more PC savy than their Windows counterparts. We dont for example just open attachments in email and because of the repos we don’t need to download dodgy software from some site.


Ps

Hi and welcome

 

 

Okay. After my first 3 days (yes, I got introduced to Linux just 3 days back) I have understood that Linux is a lot more secure because of the way it functions and that users don't have to install random software.
 
But my question here is a bit different. Are there any security houses going through the whole source code. Also, is it tested for vulnerabilities?
 
Thank you Nick.
 

 

Linux per se, is no more, and no less secure than any other operating system.

 

All operating systems can be exploited, because they all contain code which was written by people, and on average they reckon that a person will make at least one error for every 1000 lines of code they write.

 

Since there are 100s of millions of lines of code in the typical OS, then that means there are 100s of thousands of "potentially" exploitable code lines.

 

What determines whether they actually get exploited is ....

 

  • the pay off for the exploiter (how many people will he be able to target and therefore profit from)
  • the length of time an exploit is likely to remain unpatched once it is discovered

 

Since Linux has a very small market share, when compared to the other mainline OSs, it has traditionally not been targeted by the majority of Malware writers, since the pay off has not been considered to be worth the effort. Whether that remains the case in future is impossible to determine.

 

In any case, having "professional" security people look at an OS, has never made any other OS secure, as can be seen by the fact that Windows is still heavily exploited, and over the years, that OS has had innumerable security audits and improvements.

 

The major determining factor, when looking at whether someone's machine gets exploited or not, is their browsing habits, not their OS, and not which security products they use. A careless User will pick up infections on even the most tied down system, whereas a careful one can often remain uninfected, even with an open one.

 

You have made some valid points Gary, thanks!

 

But, isn't a security system (software) meant to protect such 'careless users'? Since a user may not always know what he/she is browsing, downloading, or engaging with.

 

 

Really though the only way to be 100% safe is to lock your computer in a room protected by a Faraday cage disconnected from the internet and the door made of solid steel with a complicated lock system ion the level of Fort knox.

 

But I will say Ubuntu and its varients are still very good, for a newcomer to linux however I suggest linux mint due to its windows like interface and general ease of use and is based on the ubuntu family.

 

Hahahaha.
 
Yes, Linux Mint (Cinnamon edition) looks fantastic, and that is the next one I am trying out. Thanks Madman.  :bananas:

Edited by brijeshio, 05 September 2017 - 03:54 AM.


#7 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:12 AM

Posted 05 September 2017 - 04:32 AM

 

But, isn't a security system (software) meant to protect such 'careless users'? Since a user may not always know what he/she is browsing, downloading, or engaging with.

 

To be sure, it's never a bad idea to have a reasonable level of security, and to that end, installing security software will reduce your risk of contracting an infection.

 

However, too many people think that by installing security software, they are "immune" from attack, and can therefore browse without caution.

 

Security software reduces your exposure to malware, it does not (and never will), totally eliminate your risk from it.

 

I have worked on a number of help forums, for the last 12 years or so, and I have removed infections from a large number of different machines. Practically all of them had security software installed.

 

 



#8 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:04:12 AM

Posted 05 September 2017 - 05:10 AM

Computer security, on any operating system is very much like "gun safety".  It starts between your ears.

Your mindset, your understanding of your system, your paying attention to what you are doing. 

Start with a default deny stance and turn things on as you need them.

 

Linux has been submitted for security evalutions to the the US Federal government more than a few times and some distributions have gotten accepted.  I'd guess that other distributions have been looked at by European governments, probably even the EU.  Of course doing an internet search for "linux security evaluation" may lead you to a bunch of information to make your own discrimination. 

 

The easiest thing to do on Linux that increases your security:  don't run as root, run as a normal user with normal privileges.  That greatly reduces the attack surfaces available.  If you are not running a server, turn off servers (sendmail, dns, ntp, etc) or at least know the difference between Internet facing and localhost only.

 

Security software ("antivirus/antimalware") is exactly as Gary says:  minimize exposure, but it can't eliminate it.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#9 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,854 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:07:12 PM

Posted 05 September 2017 - 04:44 PM

When it comes to " security software " on Linux I prefer to lock down my browser with things like No script, add blockers, pop up blocker, ETC I do not bother with anti-virus anti-malware.



#10 Mike_Walsh

Mike_Walsh

    Bleepin' 'Puppy' nut..!!


  • Members
  • 1,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:King's Lynn, UK
  • Local time:08:12 AM

Posted 06 September 2017 - 07:22 AM

Mm-hm. I agree with all that's been said here.

 

Security of a Linux system boils down to two things. One, the way in which the permissions system works is a lot tighter than Windows will ever be.....although, as mremski says about security software, it only minimizes possible attack surfaces. It doesn't eliminate them.

 

And two, the biggest risk to any system (Windoze, Mac, Linux, even BSD.....it matters not) is the idiot sitting in front of the keyboard. What helps here is that a high percentage of Linux users tend to be somewhat more 'tech-savvy' than the majority of Windows users. You almost need to be, in order to get Linux running on your machine in the first place; with very few exceptions, you can't just pop down to your local store and pick up a PC with Linux pre-installed.

 

And with that 'savvy', comes the fact that these individuals tend to understand the implications of what they're doing, to a far greater degree than the average Joe on the street.....  :scratchhead:

 

 

Mike.  :wink:


Edited by Mike_Walsh, 06 September 2017 - 07:28 AM.

Distros:- Multiple 'Puppies'..... and Anti-X 16.1

My Puppy BLOG ~~~  My Puppy PACKAGES

Compaq Presario SR1916UK; Athlon64 X2 3800+, 3 GB RAM, WD 500GB Caviar 'Blue', 32GB Kingspec PATA SSD, 3 TB Seagate 'Expansion' external HDD, ATI Radeon Xpress 200 graphics, Dell 15.1" pNp monitor (1024 x 768), TP-Link PCI-e USB 3.0 card, Logitech c920 HD Pro webcam, self-powered 7-port USB 2.0 hub

Dell Inspiron 1100; 2.6 GHz 400FSB P4, 1.5 GB RAM, 64GB KingSpec IDE SSD, Intel 'Extreme' graphics, 500GB Seagate 'Expansion' external HDD, M$ HD-3000 'Lifecam'.

 

KXhaWqy.gifFQ8nrJ3.gif

 

 


#11 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:03:12 AM

Posted 06 September 2017 - 08:46 AM

One thing I'll add, going off what Gary mentioned with locked down computers still getting viruses, the reason behind that is, most virus protection software is signature based. Which means that each malicious item has a specific hash that a anti virus program can pick up on. If that hash changes then it won't know it's malicious and its pretty easy to change the hash of a virus. Thankfully, as stated before, there hasn't been many viruses written for Linux as its just not worth it. There have been plenty of other security bugs though, but typically they get patched fairly quickly once found.

 

As Nick pointed out, with Linux you want to focus on locking down your browser, Ad blockers, etc etc. And as long as you don't have any random ports open on your router to the outside world, you should be pretty good.


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#12 buddy215

buddy215

  • Moderator
  • 13,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:12 AM

Posted 06 September 2017 - 08:50 AM

When it comes to " security software " on Linux I prefer to lock down my browser with things like No script, add blockers, pop up blocker, ETC I do not bother with anti-virus anti-malware.

Right on!

 

You only have to look at all the malware and adware that Android is being hit with to know that Linux is vulnerable and it is because of the huge amount of users of Android that it

is being attacked by criminals.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 917 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:12 AM

Posted 06 September 2017 - 09:38 AM

One thing I'll add, going off what Gary mentioned with locked down computers still getting viruses, the reason behind that is, most virus protection software is signature based. Which means that each malicious item has a specific hash that a anti virus program can pick up on. If that hash changes then it won't know it's malicious and its pretty easy to change the hash of a virus. Thankfully, as stated before, there hasn't been many viruses written for Linux as its just not worth it. There have been plenty of other security bugs though, but typically they get patched fairly quickly once found.

 

As Nick pointed out, with Linux you want to focus on locking down your browser, Ad blockers, etc etc. And as long as you don't have any random ports open on your router to the outside world, you should be pretty good.

 

A lot of AV programs now use heuristic analysis to minimise the limitations of a signature only based detection system, however heuristics are prone to generating false positives, so it's advisable to check any detection that is generated this way before you take any action.

 

Sandboxing any web facing programs can be a useful way to protect your OS, and Firejail is available for most Linux versions.

 

http://www.makeuseof.com/tag/firejail-simple-way-improve-security-linux/

 

 



#14 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:03:12 AM

Posted 06 September 2017 - 10:48 AM

When it comes to " security software " on Linux I prefer to lock down my browser with things like No script, add blockers, pop up blocker, ETC I do not bother with anti-virus anti-malware.

Right on!

 

You only have to look at all the malware and adware that Android is being hit with to know that Linux is vulnerable and it is because of the huge amount of users of Android that it

is being attacked by criminals.

 

 

Well in the case of android the issue is more how android is laid out rather it being based on linux.

Android only has root accounts and everything on it is meant to be easily accessed as its a smartphone OS.

If it were more like say ubuntu then it would have a better security platform as Ubuntu typically uses repositories and asks for administrator passwords.

Plus the malware is based on exploits more based of androids framework wish is another kettle of fish separate from Linux.

Sure the linux kernel isnt immune to bugs or exploitation but most of the issues found on android is more due to google not taking the apple approach of locking the whole OS down.

This is both a good thing and bad thing of course.


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

8spxh0-6.png


#15 The-Toolman

The-Toolman

  • Members
  • 1,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 06 September 2017 - 11:36 AM

Well in the case of android the issue is more how android is laid out rather it being based on linux.

Android only has root accounts and everything on it is meant to be easily accessed as its a smartphone OS.

If it were more like say ubuntu then it would have a better security platform as Ubuntu typically uses repositories and asks for administrator passwords.

 

 

I agree MadmanRB just to many unsecured sources on Android to download software apps not to mention all of the unsecured social media crap on Android.


"Under certain circumstances, profanity provides a relief denied even to prayer."

(Mark Twain)
 

"Inspiration can be found in a pile of junk. Sometimes, you can put it together with a good imagination and invent something."

(Thomas Edison)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users