12 June 2010

"Is Linux Secure?" at Southeast LinuxFest

I'm at Southeast LinuxFest right now, listening to Daniel Chen's Linux audio talk. A bit over an hour ago, I finished my presentation on the Linux security myth. It's meant to be accessible to normal users or to geeks needing to explain to normal users. I was asked afterward why I didn't talk about buffer overflows. That's easy: normal users can't do anything about them.

Slide 31 shows what happens when a .desktop is not executable and is in a home directory. Notably, that Fedora and openSUSE make it easy to run anyway, while Ubuntu policy says those buttons aren't OK (thanks James Tatum for the link pointer). I can understand that reasoning, but I don't expect normal people to know how to mark it as trusted or geeks to know that that's a euphemism for "set the executable bit."


11 comments:

jbr said...

Just out of curiosity, why the "Grrr @ Archlinux" ?

caseyjp4 said...

I'll ditto the sentiment on "grr@arch linux".

I LEFT ubuntu as primary distro TO Arch for a large assortment of reasons, and just sticking "grr/argh" in a slide you post without being a bit more specific is annoying, especially to those of us not able to attend said presentation. :/

Mackenzie said...

They don't sign their packages. Audio will be available later.

FaN_OnLy1 said...

Just as if signing package would suffice... MD5sums have been proven to be of pretty weak...

harry234 said...

FaN_OnLy1: I do not think that the word means what you think it means...

Package signing is not the same thing as checksums. Signing is public-key cryptography, where the packager digitally signs each package. That is *much* stronger than MD5 sums and the like, as not only does it protect against corrupted/substituted downloads, but proves that the uploader is a specific, named person (or e-mail address at least). Look into GPG (the cryptography software used for the signing) for more details.

Bram Bonné said...

This was a very interesting presentation, thanks! :)

caseyjp4 said...

So we Archers don't sign. There's been a big back'n/forth in the Arch General mailing list about some of this, and the general gist from the community as well as some of the devs is...big whoop. Arch is a rolling release and also a "kiss" distribution. Its a distribution where the USER is responsible for what or what doesn't get on his system beyond the base install rather than a distribution "group". So far as I can tell, you're grr@arch comment is coming from Ubuntu's perspective vs. what we over in Arch land view as normal.

So, yeah. I'm only guessing here as I don't have the audio, but seems like a tempest in a teapot from this Arch user at this point. Oh, I do test Ubuntu and keep up with it, but am not fond of the "do it our way or the highway" mentality. See tooltips / buttons / etc., etc., for examples.

But like Dennis Miller is so fond of saying: "...but I could be wrong!" :-D

Mackenzie said...

I get that it's up to the user to ACK or NACK what gets installed, but how is the user to be able to make any sort of judgement at all about whether they should ACK or NACK when there's no signature? There could be *anything* in the package, and they just have to hope that the name marked as person-who-uploaded-this is the actual name and that it wasn't someone mean lying and pretending to have been a trusted person? That's a fundamentally broken way of handling trust.

Christopher M said...

I got a question for ya,

I know you use KDE and I just switched to it... Just curious, do you use the DESKTOP WINDOW for your icons or did you turn that off.. I just came from KDE 3.5 to 4 and I so far HATE the way desktop icons are put into a CONTAINER but I can put things outside said CONTAINER. arg! I dont know why they didn't keep the 3.5 look where I could put icons wherever!

--- Christopher

Mackenzie said...

Christopher:
Yes, I use the Folder View Plasmoid. I think it keeps things tidier than having icons spread all around.

If you want to change your desktop to the old way though, right-click on the desktop -> Desktop Activity Settings -> Activity -> Type: Folder View

dadgadjohn said...

"Yes. I'm from Pittsburgh. How'd you guess?"

Priceless.