[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Linux Security
- To: sheflug@xxxxxxxxxxxxxx
- Subject: [Sheflug] Linux Security
- From: John Southern <linuxtarragon@xxxxxxxxx>
- Date: Mon, 8 Jul 2024 10:37:12 +0100
- Delivery-date: Mon, 08 Jul 2024 10:37:58 +0100
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sheflug.org.uk; s=default; h=Sender:Content-Transfer-Encoding:Content-Type: Reply-To:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Subject: To:Message-ID:Date:From:MIME-Version:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Owner:List-Archive; bh=A2tdT5qgwwexZ1XJ2X0pFOL9Xdv6yMJ2NX85Diy8GAo=; b=Kzqa/Lv87zU3S6a1kTRhjebVrA FG+Cpj3qlVt+ifyqaEekz1LSRmTAj2oKzkazo1EwKvtsnQj+mhTlAWL7I3cKNO3+FbAtqJm7mq+rj pHiFO/tljhUbmFFerI+FoIvHW+P+FhcUd1cObamqrX+CZcLtRccHV8jSPg84MFM7xUd3mAt5Rinkq 2EIAO2NQker8XRW3cAz2x6xOhCaLx1YQSXWZ2JYWh1gY6ukEreOLpAT/AiX1Dclr6/XcSNXZ0ebdF fvdG49+Mr9xFJ3oF2OgiN4yRTKf7J07r7lgDnWhZB3ajDxANinglMtGklV5ICL5clpVuHoExiuUXr zqYI7zzQ==;
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720431443; x=1721036243; darn=sheflug.org.uk; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=B394GippKZx5iFMZyHNMyCCo5gBA/89EEVliz8+++Mo=; b=DZnfXwGNhRVd5BZHUFNCRyETEOX/WGN9MJNDM26DXtIo5Offe871DLwixnKp3KC4Rw V50Qi+ilOKR62/t17Uzxw6Lx1WSmFf4ndO+S25TmPt2+hkBD0Eh0OpYULthVytUWeoRL //y13UKANkbTH1/4cAhBfaDqSmq6zt2CRuRtcpVtIH08r12ZUsOWfE+TOBY9G1dJJOds I1LJ39cO2vV8mJl0//y7I9byrMgIvP69u5pSSHPjuhYWbltZfN1CsOhGhTAcdBeeFauf GyNqnFxzxC10cbg/Z0FSIVZcJrlubCUQufDK7Ws1Y7nzj01kNkmrVdwYuYcfkjzgaBl6 JSIg==
- Envelope-to: sheflug@xxxxxxxxxxxxxx
- List-help: <mailto:sheflug-request@sheflug.org.uk?subject=help>
- List-id: <sheflug.sheflug.org.uk>
- List-post: <mailto:sheflug@sheflug.org.uk>
- List-subscribe: <http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk>, <mailto:sheflug-request@sheflug.org.uk?subject=subscribe>
- List-unsubscribe: <http://sheflug.org.uk/mailman/options/sheflug_sheflug.org.uk>, <mailto:sheflug-request@sheflug.org.uk?subject=unsubscribe>
- Reply-to: sheflug@xxxxxxxxxxxxxx
- Sender: "Sheflug" <sheflug-bounces@xxxxxxxxxxxxxx>
Hi All,
The question on Saturday was over Windows being inherently more secure than
Linux and where I said the issue was really around the applications loaded
rather than the OS.
It was stated that using a Puppy Linux distribution allowed us to crack
Windows systems to then clean them of viruses, but that was harder on Linux
because of things such as LUKS.
I am still saying this is not an even playing field.
I believe if we have a LUKS encrypted system then we cannot recover the
data without the password. However, that surely is the same as saying the
Windows systems would have BitLocker on them. Both are then Full Disk
Encrypted. I am also fairly sure I have seen more BitLocker startup screens
than LUKS. So, on a like for like basis, is a LUKS enabled laptop any
stronger than a BitLocker enabled laptop? Or is a non-encrypted Linux
system more secure than a non-encrypted Windows system?
Remember we are trying to enter with a copy of Puppy Linux and fix it. That
means mounting the drive in question under Puppy Linux with ntfs-3g -t ntfs
otherwise it is read only. I am assuming we were either using chntpw to
recover a password, to then be able to sign onto that machine and start
virus removal or using ClamAV to run against the drive and remove any
viruses.
I do understand that we can have systems where the BIOS is hardware locked
using a one wire chip to prevent alternative boot devices, but that can
apply to both Linux and Windows systems. Linux could always have encrypted
file systems and even run SELinux, but there are equivalents for Windows
such as switching on Integrity levels. What I am saying is no one does
this. I have not seen SELinux used in anger since about 2010. I have used a
single system that needed a YubiKey under Linux and I do not own a YubiKey
for my devices.
I am happy for everyone to say they do encrypt everything they own, but in
every data centre I have been in this is not the case and every corporate
team I have been in, I am more likely to see BitLocker or FileVault than I
am to see a Linux laptop encrypted. That is usually because a corporate IT
department has issued laptops with BitLocker incorporated by default on the
Windows machines and FileVault on the Macs. In the cases where I have had a
corporate Linux laptop, I have been allowed to build it myself and it was
just a tool to get onto servers in a data centre. Effectively, a posh
terminal device and because it had no data. Encryption or SELinux was not
required.
At this point, you can tell I usually go for vanilla installs with hardly
any customisation. I am not even sure I fully trust RAID. I have used
commercial RAID systems at work for 20+ years. When they work, it is
fantastic. A disk drive dies, I get a warning, the actual device has a
warning light. I can pull the drive and replace and let it rebuild that
drive. Away we go and all is perfect. The caveats are it assumes I have
matching drives available. The cost for commercial disks is eye watering.
If a client is paying, I usually have a couple of disk bays ready as hot
swap spares. On small/medium sized businesses and home use, the chances are
they have not stumped up the money for the spare disks to be on hand. There
is a bit of a difference to having the exact same model of drive available
and trying to buy later after the drive firmware has been updated.
I also have cases where the RAID controller has died. It might be possible
to put in another controller, assuming it is the same. Assuming it is also
the same version of firmware. Even then it does not always work. I say that
with three 10K disks on my bench waiting for yet another P440ar controller
to arrive for a client.
When it comes to LUKS, I am not sure I want to risk everything to that tiny
part of the hard disk where the binary header file lives, because if that
goes, you are locked anyway.
Linux does have the obvious advantage that we are permissions based and so
it is harder for a virus to be triggered. We have relatively few viruses (I
am not counting Worms or rootkits as they are different for both OSes) but
we still have vulnerabilities. I still think that the main risk is with
poorly configured applications. I am not sure how many PHP vulnerabilities
we have had over the years, but equally so it is incredibly popular. It was
not that long ago, at the end of 2018, when Linux had the USB exploit where
inserting a USB device and the device having a volume name enclosed by back
ticks that the name would be run. `rm -rf` would have wiped a machine, but
it could be crafted to recover passwords.
However, Windows 11 by default uses TPM, so will a Puppy Linux boot on a
TPM machine? While we can switch on TPM under Linux I do not think that is
the default yet.
This means I think we have some questions.
1) Assuming you are able to get into a Windows system with a copy of Puppy
Linux, which therefore assumes no encryption, what is stopping the same if
it was Linux rather than Windows?
2) Does everyone honestly use encryption on every device they own?
3) Nevermind how poorly I run my systems, what do you do on every single
device you have that is good practice for security that I should start
doing?
Regards
John
_______________________________________________
Sheffield Linux User's Group
http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
FAQ at: http://www.sheflug.org.uk/mailfaq.html
GNU - The Choice of a Complete Generation