What is Digg?Sponsored by HTC
You and You and You. view!
youtube.com - You don't need to get a phone. You need a phone that gets you.
95 Comments
- kodek, on 10/12/2007, -7/+52os = previouslyMentionedOS;
me.bitchAbout(os);
me.praise(osList.genRandOS());
flameWar.add(me); - Herolint, on 10/12/2007, -22/+57Linux is only a waste of time if you don't know how to use a computer and like being uneducated. Otherwise, it is an excellent exercise in study and knowledge.
Being a Windows user is like being a car driver who can't even change the oil in their car. Being a Linux user is like being the guy with the really cool car who everybody else envies because he can fix it himself when things go wrong and save himself a lot of money and frustration. - justnick, on 10/12/2007, -3/+36I don't know if I can top that. Windows is a pretty big joke.
- schestowitz, on 10/12/2007, -6/+37Fortunately, many distributions come with many of these steps taken care of. For example, services like ssh are disabled and security software is already installed. Perhaps the key message is that, given the right distribution, the level of the user's competence and exposure to risk is assumed and taken care of without intervention.
- vexx, on 10/12/2007, -1/+26Oh crap, why didn't anybody tell me before. I used the net install CD.
- tapo, on 10/12/2007, -0/+24No, you're thinking of the hosts file that overrides DNS lookups. For Linux, that file is /etc/hosts.
Hosts.allow and Hosts.deny allow you to whitelist or blacklist IP addresses from making any connection to your machine. - Herolint, on 10/12/2007, -11/+32@GeneralKickAss
My response was to one guy/girl who made a dumb comment about Linux and I made assumptions that they were a novice Windows user (based on the fact that Windows has the largest market share). I COULD have written an entire dissertation to cover all aspects of computing, listed endless types and metaphors, called you up on the phone and consulted you regarding your feelings about my comment, and so on, but that would have been a complete waste of time.
Metaphors are never "good" for all instances and occasions. They only mimic an aspect of their original subject and are used to make a point. Get over it.
For the record, I use Windows, Linux, Solaris, OpenBSD, and OS X. I have been a programmer for Microsoft and Novell and have worked on applications for Windows, Linux, BSD, Solaris, and OS X. I know the various OSs all equally well. I like the Unix-like OSs the best and I like Windows the least because it gets in the way of me accomplishing what I want to do, doesn't work as well as the others, and doesn't come with important utilities that I need, like BASH (yes I know about Cygwin, and it makes Windows better, but not great). I did not go to school to learn any of this. Everything I know about computers I learned on my own by reading books and doing the things they taught me.
I have made my decisions on what I think is best for me in a very informed and knowledgeable way. Because I was willing to put forth the effort to make an educated decision, I don't have any patience or respect for people who don't try to understand anything and then make pointless comments; like the one I was referring to.
I'm sorry if that offends you. - SmokedL, on 10/12/2007, -0/+18"windows. not silly stuff like, windows is teh sux its all h4xed with 6000760909 virii lol, or i like to compile my own kernel, or oh noes drm."
Run the plethora of open source programs that are available only on *nix platforms for free.
Update every single program and system component with a few clicks, or a single command line.
Run a decent implementation of Virtual desktops.
Run good 3D accelerated window managers.
Not have my computer severely degraded performance wise by a virus scanner, personal firewall, and intrusion detection system.
Use the internet with no fear of malware.
Diagnose and fix problems far far easier due to the open nature, and good logging support.
Uninstall something and know it really is gone.
Install anything from the huge official repositories of applications with confidence that it will not screw up my system, or install malware.
Not have to reinstall once a year because I like to test software, and this will eventually leave windows an utter mess, since the system has no package manager and any installer can do whatever it likes, without windows being able to do anything about it. Clobber system files, mess up the registry..
Not having to start from the very beginning configuring my personal settings to my liking when installing a new computer, spending weeks to get my preferences set up. I just copy my user folder to the new computer, make sure the UIDs are correct, and I'm done.
The list is pretty much endless.
Yes, there are things that you can only do on windows too. Almost all of them because Microsoft is intentionally incompatible with others. The Wine project is working very hard to remedy this situation and is making great strides. - dimension128, on 10/12/2007, -3/+15@inspecality,
The thing is though, its not really a joke. When friends/family ask me (how do I fix problem xyz?), or (how can I make my computer do zyx?). My reply is usually "install Linux" and when I say that, I'm 100% serious. - Agret, on 10/12/2007, -1/+13@benitojuarez
No offense taken, although you may wish to learn more about computing one day and take the plunge.
I'm not saying you should switch but you should definately experience what is on offer. - Azap, on 10/12/2007, -3/+11Buy a banana and a condom and have the talk
- blixel, on 10/12/2007, -1/+9No, it's not a moot point. So let's be thankful the OpenBSD developers aren't apologists like you. They didn't bury the problem under some lame pretense like "Oh, not that many people are affected, so who cares?"
No - they said "oops!" and fixed it. I applaud their rapid response and honest full disclosure of the problem. - LocDawg, on 10/12/2007, -3/+10Your comment was NAAAAHHT witty.
- Herolint, on 10/12/2007, -6/+13@Truegod
I'll answer your question for you, but rather than cars, I'll use computers, since that is what this article is about.
When a problem happens on my computer, I troubleshoot it and fix it. If a component has gone bad, I drive 5 minutes to the local computer store, buy a replacement part, drive home, and I'm up and running again. I have never been without my computer for more than an hour or two.
On the other hand, I have seen people's computers stop working on them and they don't know why. Sometimes a component has gone bad, sometimes it is just a simple software problem; however, they don't know what to do. So, they drive over to somewhere like CompUSA and have to pay a fee to have somebody diagnose the problem for them. Often times, this requires their computer to be in the shop for a while, which is frustrating. Many times, the techs don't know how to fix the problem either, so they just reinstall everything. Many times this results in a loss of data, which is frustrating.
Periodically, we will see articles on Digg that mention the horror stories of taking your computer to a computer shop. This include data loss, the computer shop selling your old hard drive, with your data still on it, at a swap meet, lost computers, months without a computer, etc. I can't recall a single article about somebody understanding and fixing their own computer and then getting all pissed off about it. Can you?
Does that help you understand? - cklol, on 10/12/2007, -8/+15Or with OpenBSD on it.
- drag, on 10/12/2007, -1/+8This article is worthless.
1. It gives ***** advice that will do nothing to improve the security of your box.
2. It ignores things that are important
I'll give you a REAL list of things you need to do to secure your system.
1. Give yourself a fantastly good password(s). More properly a passphrase. Something you can remember. Throw in some numbers and special characters and play around with capitolization and spelling. Don't do l337 speak, it's worthless and character substitutions are already incorporated into dictionary attacks, so they aren't any better then plain english words.
You want at least 8 characters. A MINIMUM of 8 characters. You realy want more. Make it long as all get out.
THIS IS CRITICAL AND HE COMPLETELY IGNORES IT . This is the #1 most important thing you can do.
This is what causes the utter failure of this article.
2. Connect to the internet (gasp!) and make sure that you have the latest updates aviable for your system. This is absolutely important.
He barely mentions it. He spends more time on the firewall (useless in the majority of cases) then this.
3. Disable unwanted services _that_listen_to_a_external_port_.
He completely f*ks this one up. You have many important services that are there to help you. ALL of them are optional, but you don't nessicarially want to get rid of them.
CUPS, for example. It _can_ be a network service, but generally you'll need it for printing. Disable it if you don't want to use a printer. A good distribution should have it listenning on localhost (aka loopback network device) by default and you should have to configure it.
Other ones includ things like Dbus or Udev, which you want for a modern Linux desktop.
Open up a terminal (gasp! command line! oh no!) and use this command:
netstat -tulpn
That will show you what programs are listenning to the network on your machine.
For example this is my output:
sudo netstat -tulp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:9999 *:* LISTEN 2832/approx
tcp 0 0 localhost:6010 *:* LISTEN 1258/0
tcp6 0 0 *:6600 *:* LISTEN 4397/mpd
tcp6 0 0 *:ssh *:* LISTEN 2938/sshd
tcp6 0 0 ip6-localhost:6010 *:* LISTEN 1258/0
The 'localhost' means that it's not listening to external ports and is safe to ignore for this excersize.
Anything with * means that it's listenning on all network interfaces and therefore can be subject to attack.
In my case mpd is the music player daemon and I want it running.
ssh is remote shell and I want that running also since I connect to my machine remotely.
approx is a apt-get proxy and I want that running also (handy if you have multiple Debian or Ubuntu machines)
So any of those are subject to remote attacks and I need to be carefull about keeping those secure.
At this point a firewall completely worthless to me so I don't have one installed. It's rendundant. Firewall is only usefull for advanced network configurations like VPN or if your doing connection sharing or otherwise have a reason why you want some machines to connect to a paticular service on one network and not allow machines from another network even to attempt to access. Or if your running a web server or someting like that were you want to control network bandwidth or fight DOS. Stuff like that, which isn't something normally you'd do for Linux desktop.
Just disabling listening ports is a much better way to secure your machine.
Otherwise you can run a firewall if that makes you feel safer. Doesn't matter much to me.
Otherwise that's about it.
If you have multiple users on your machine that connect remotely then that is a different story and there is a lot more work you'd have to do, but on a single user machine or you have users you can trust then this is about it. - diggapleaze, on 10/12/2007, -2/+8uh...humour me
Exactly how is NAT not good security? I'm operating under the assumption that a router is the best kind of firewall there is, so I'd like to know if I'm wrong. - jstn, on 10/12/2007, -0/+6The article wasn't talking about secure from a code perspective. Any idiot administrator could setup OpenBSD and get rooted due to poor administration.
- lengau, on 10/12/2007, -0/+5You ever try the "Install a command line system" option? I've forgotten the exact number, but it installs a very minimal amound of packages (doesn't even come with screen!)
That said, Ubuntu wasn't made for people who want an ultralight system with 30 files in /usr/bin. That's where distros like Debian (vanilla debian can be very light), Slackware and Gentoo come along (as well as LFS).
Ubuntu's desktop install will of course install huge numbers of packages. That's just natural for the kind of job it's doing. - DoctorCal, on 10/12/2007, -0/+5"By using the Linux command chkconfig you can see what services are running and turn them on and off as needed."
Or, if you are on a debian distro, you can use sysv-rc-conf. - buhawi, on 10/12/2007, -1/+5Last month, I just spent three (3) whole days of my life trying to fix a friend's computer running Windows XP SP2.
It was infested with ADware, SPYware, MALware, trojan, virus, rootkit ...
Despite using ten (10) of the best and popular tools for the job, the system was left unstable (crashes frequently).
One can detect things which others cannot.
I learned the most unfortunate thing ... NO anti-virus OR anti-malware tools can be 100 percent effective.
Yep, you got that right. The best solution is to reinstall with a clean slate. :-(
The thing here is that MALWARES/ADWARES/SPYWARES/VIRUS can have deep access to Windows system. Cleaning these would definitely affect the system. Sometimes rendering the system unusable. - blixel, on 10/12/2007, -4/+8"Or with OpenBSD on it."
Sorry, not even OpenBSD is perfect.
http://www.kb.cert.org/vuls/id/986425 - jihadforwhat, on 10/12/2007, -0/+4@ benitojuarez
One huge advantage a Linux distribution has over a windows distribution is that the Linux package allows you complete freedom in the configuration of your system(s). For example I have four systems on a LAN. Using a single Linux distribution I have configured one system as file and DNS server. A second system is configured as a print server and using Firefox and Thunderbird is my primary Internet access system. The other two system are running Windows 2000 Pro, for application development packages I acquired prior to switching to Linux, and 98SE for low tech games libraries collected prior to Linux. Funny thing about it the two Linux systems are on the oldest/lowest tech hardware systems. They outperform both windows systems. Funny thing 2, if I wanted to upgrade to XP or vista I would need to make some expensive new hardware purchases. My Linux systems are upgradable just by downloading RPM packages and installing them. - Brownout, on 10/12/2007, -2/+6/etc/hosts.allow and /etc/host.deny work only when using tcpwrapper module to run your services, the tip to block ads must be performed in /etc/hosts.
Advice #8 is the old "NAT is security", widely known to be false. - immrlizard, on 10/12/2007, -0/+4@buhawi
You are a good friend. I often do the same for people over the weekend. Most of the time they are either not running a virus program or the one they have isn't updating. Most of them never install a single security patch. I have managed to get most of the people I know to at least patch the machines and get a virus program. That takes care of most of their problems. I would never spend more then 3 hours cleaning a machine. One of the first things I do is to get all of the data they need to save off then put the drive in another machine as a slave and scan it for virus and malware. Only after that do I troubleshoot it. I have switched to linux in the last 6 months and have been really happy with the results.
@drag Thanks for that link for the security. One can never have enough security resources.
@xnacoder Try a different distro. A problem with one distro doesn't mean it is a problem with all of them. ATI is not a great pleasure to configure. I am using kubuntu and there is a script called envy that works where others have had problems. It helped me on an x850 xt that I was having trouble with. Try 7.0.4 beta. You may like it. The forums are really helpful too - pauldonnelly, on 10/12/2007, -0/+4So use a different distro. That's what they are there for.
- diggapleaze, on 10/12/2007, -2/+5the innernet
- johnthedebs, on 10/12/2007, -1/+4@diggapleaze:
NAT (or, as it's implemented in consumer routers, PAT) is pretty decent security. See below for more details on why, if you're interested. It isn't anywhere close, though, to being the best security. Dedicated firewalls/security appliances are the way to go if you're a business that's serious about security, but for most home users a simple router with basic firewall features and NAT does the trick.
@rusty0101
NAT as implemented in consumer routers is overloaded and is aka PAT (port address translation). It does, in fact, provide extra security and here's why: The router, when it receives traffic on its external (Internet facing) interface will only forward traffic to a host on the inside if it knows who to forward it to. It will only know who to forward it to if a) that traffic is explicitly defined somewhere in the forwarding rules b) a DMZ has been defined as a sort of catchall for traffic not destined for anyone else or c) a host on the internal network has initiated a flow and the traffic coming in is a response. By default, all traffic coming in through the router is a response to traffic that was started internally, even on those crappy $50 boxes you buy at a retail store. Sure, it isn't that difficult to get around but it does require the user to do something dumb to get around.
A great example of how this would help: You install Windows XP fresh on your home PC after getting infected with some sort of malware. Great. You only have SP1 and want to go online to get XP up-to-date with patches so it can resemble a usable desktop more so than Swiss cheese. Also great. Without that little router there performing NAT (and yes, it is inherently the NAT and not some other firewall feature that does this) anyone on the Internet would have direct access to that machine and all its associated vulnerabilities. With that little router, however, provided you only visit Microsoft Update to patch up your machine and no shady website that could potentially deliver some exploit via your browser, you're completely safe. In fact, you're most likely completely invisible. As soon as unsolicited traffic hits the router, it doesn't know what else to do except drop it right then and there. Moral of the story is you get your Windows machine patched up nice and tight without the worry of being compromised within a few minutes (which almost certainly would be the case without the router in place).
So, yea. NAT is pretty decent security as long as you're overloading addresses - which all cheap routers do by default. - geronimo, on 10/12/2007, -1/+4using hosts.allow/deny for SSH is not necessary if you just edit /etc/init.d/ssh/sshd_config and put in "AllowUsers yourusername" and restart sshd. Make sure the password is strong. Then just make iptables rules to allow only ssh/port 80 and you are set.
- xnacoder, on 10/12/2007, -0/+3Bah who am I kidding, having two OS's on a computer is just too cool to pass up. I'll go torture myself with another linux distro right now.
- shenzi, on 10/12/2007, -1/+3drag makes good points, but while security is simple in principle, the devil's in the details, as evidenced by the fact that many systems, including those running Linux, are routinely compromised. The plain fact is that people don't UNDERSTAND the danger.
People (especially applicable to city dwellers) understand that people steal cars. And thus people know to at least lock their car doors.
People understand that, in simplistic terms, if a boat has holes in it and water is filling the boat, then they will sink. Thus, people will be ***** sure that they look for and plug any holes they find.
Regarding computers, most people are like those who live in rural areas with the attitude "oh it's safe around here, I trust that no one is out to harm me..." Until that attitude changes, it hardly matters what OS people use.
Just my crazy theory... - geronimo, on 10/12/2007, -0/+2I meant that usually all you need open is port 80(for web) and port 22. Who cares if ssh is on port 22 for the world when you have allowusers+a very secure password. By only allowing a certain IP you limit yourself, what if you have a dynamic IP and the IP changes, you are hosed. There is no need to limit yourself like that.
- Truegod, on 10/12/2007, -2/+4I'm with diggapleaze, how is NAT not good security?! Besides the oblivious, like if you open a connection to something with malicious or port forward through the NAT (I think they call that PEBCAK).
- lengau, on 10/12/2007, -4/+6@diggapleaze - NAT itself offers little to no security (in fact, if you forward all ports coming into your NAT router to all of your computers, you can multiply your damage).
NAT Routers, on the other hand, generally offer very very good security. This is due to the fact that most of these routers have very efficient hardware firewalls in them.
Hardware firewalls (the name's kind of misleading, because technically no firewall that I know of is implemented in hardware [although there could be some]) work by sitting on the network between your computer and other computers. Any Hardware firewall will be a lot less likely to break (less code in the firewall=less possible bugs), especially with the latest firmware. - migla, on 10/12/2007, -0/+2Just wanna point out, in case someone didn't know this: Linux is more secure out of the box than windows or macos:
http://www.omninerd.com/2007/03/26/articles/74
FTA: "As far as straight-out-of-box conditions go, both Microsoft's Windows and Apple's OS X are ripe with remotely accessible vulnerabilities ... The UNIX and Linux variants present a much more robust exterior to the outside. Even when the pre-configured server binaries are enabled, each [Linux] system generally maintained its integrity against remote attacks." - rusty0101, on 10/12/2007, -2/+4Simply put, NAT is not a security tool. NAT is address translation, and on it's own does not 'secure' anything.
An example that occasionally works is if you are connected to the same network as the router doing NAT. Presume that the users on that network are using 192.168.1.x/24 as the user side of the NAT, and are plugged into 10.50.12.0/24 with an address of 10.50.12.24. Your network (internal) is 192.168.254.0/24, and your ISP provided address is 10.50.12.43. Somehow you find out that a device in the local network of your target has an address of 192.168.1.2. If you can configure a route in your gateway of 192.168.1.0/24 gw 10.50.12.24, some implementations of NAT will simply treat your traffic as routed network traffic. In other words, any services on the 192.168.1.2 device would be available to you.
The reason that this is not a significant problem for most people is that the router they are using is doing NAT through a table rather than just 'routing' nated traffic. It does not see a table entry for the traffic from your device, 10.50.12.43, so it does not forward traffic from you with a destination of 192.168.1.2. That is the 'firewall' that is often touted as a hardware firewall.
If you are thinking that this means that Skype has done something secret that allows them to do just this, there are a couple of features of NAT that are used by Skype to solve for their situation. Whether those are flaws or not is debatable, as essentially they are using network redirects to provide the feature they need. Also the Skype solution does not require that both NAT routers be part of the same subnet on the internet side of the connection. The example I described above does. - inactive, on 10/12/2007, -1/+2Now, imagine your non-tech parents, grandparents, siblings, friends, etc trying to do what is listed in this article.
- fartleg, on 10/12/2007, -0/+1I consider myself a novice with computers, but i partitioned my harddrive installed ubuntu and windows on the same computer have to say ubuntu it is pretty cool os. I have run into trouble with things. What is great is the forums on there website is really supportive with any problems you might have.
- darkliquid, on 10/12/2007, -1/+2@shenzi
The thing is, if someone wants in they are going to get in. Non standard ports keep the moronic botnets and skiddies from annoying you with craptastic automated attacks (e.g. DOS from a bruteforce attack on a service using a default port). Now I'm not saying that's the only security measure you should take but it's definitely one of them. - Truegod, on 10/12/2007, -2/+3@lengau
"Hardware firewall" is the laymen term for the security NAT provides. Because of the way NAT works only connections started by a device on the inside are connected. There is no such thing as a "Hardware firewall" (at least in the consumer market). - pauldonnelly, on 10/12/2007, -0/+1How would that stop anyone from logging in using your name (assuming they know the password)? Besides, putting ALL: ALL in hosts.deny is good practice. From there of course it's necessary to unblock sshd. And don't forget to disallow password login.
- scottjl, on 10/12/2007, -1/+2they forgot #0: Turn the PC on.
- vh1`, on 10/12/2007, -0/+1there's a server ISO
or `sudo apt-get remove ubuntu-desktop; sudo apt-get autoremove` (I'm not sure if that works, but it should remove all the orphaned packages from ubuntu-desktop) - webslave1, on 10/12/2007, -0/+1One more comment for the mix
let me state upfront I love Linux, I build Linux boxes and have done my best to convert as many people as I can to Linux, I also use MAC, Windows and *nix variants, I was a fully qualified motor technician with BMW,Mercedes Benz,Alpha Romeo and ran my own Garage working on Rolls Royce, Ferrari, VW,AUDI and the imports(American cars)all the while my hobby was software,hardware and general geeky gadgety goodness as they say on Geekbrief.tv podcast.
Having read all the flames and the comments and I agree on some of the more appropriate comments and some of the really techy ones which only technical types and full-on programmers would understand, anyone else who does not know what SSH is is classed as a novice or ordinary user, nothing wrong with being a gadget lover and a digg user and being a ordinary user interested in tech.
Now back to the point, no windows system is ready 'out -of-the box' anyone who has purchased a system in the last five years (unless from dell etc where they install macafee or Norton - YourDoom123, on 10/12/2007, -0/+1Yes, your absolutely right, you CAN do all those things on windows... but how much work is it? I thought windows was the easier of the two...
- djg38, on 10/12/2007, -1/+2Dedicated Server Setup Checklist:
http://www.dangrossman.info/2007/03/18/dedicated-server-setup-checklist/ - nadadingsda, on 10/12/2007, -0/+1Be sure to have a look at kmyfirewall to configure your IP tables based firewall, it's a very user friendly program an it lets you also do advanced stuff like configuring IP forwarding and the nat tables.
- inactive, on 10/12/2007, -1/+2How many Top 10 Linux lists do we really need.
- Rivetgeek, on 10/12/2007, -0/+1tcpwrapper != localdns
- buhawi, on 10/12/2007, -2/+3Is there a new division in Microsoft? Last time I checked they just hired 10,000 people.
Are all these 10,000 bloggers? or comment writers? :-)
Money spent on marketing is a money spent well. -
Show 51 - 95 of 95 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is