On Wednesday 11 June 2008 23:47:43 you wrote: > On Wed, Jun 11, 2008 at 10:25:32PM +0200, David Naylor wrote: > > Hi All, > > > > Today I read an article describing how my government had lost ZAR200 000 > > 000 from fraud. This is just under $25 000 000. The article credited > > this loss largely due to the use of spyware. > > > > My question is how secure is FreeBSD (including KDE, GNOME and XFCE) to > > attacks, including cracking and spyware. > > That is a very broad question without a simple answer. It depends among > other things on the purpose of the machine and the knowledge of the > administrator. > > E.g, if you are creating a workstation that doesn't run externally > accessible servers you could configure the firewall to block all > incoming new connection requests. That will go a long way toward > safeguarding the machine against network attacks. > > There is no way to safeguard a machine that an attacker has physical > access to; he could e.g. steal the harddisk and read your data at his > leisure (unless it is encrypted on-disk, e.g. with geli(8)). Also, no OS > can defend against social engineering attacks. > > I would not worry overly much about spyware. Most if not all of those > are windows binaries. Also, unix mail clients as a rule do not execute > scripts embedded in mail messages.
I think this argument is rather mute, just because there are no programs exploiting security vulnerabilities does not been there are not vulnerabilities, and a determined cracker would create his own program. That said I hope there are, actually, no vulnerabilities. [Security through obscurity is just an illusion] > > In addition, is there anyway to > > prevent a user from executing a program that is not owned by root (i.e. > > any program installed by the user), this would prevent spyware being > > installed (assuming root has been properly locked down) and subsequently > > run. > > You could mount /home and other partitions where users have write access > like /tmp with the noexec option. Note that that wouldn't block the > execution of scripts, just binaries. Excellent idea, that would work just fine :-). I think /var/tmp should be added to the list. If a script is run using #!/bin/sh would that then be executable with noexec (i.e. running "./example.sh" instead of "sh ./example.sh) Thank you to everyone who has replied, it was been informative. Regards David
signature.asc
Description: This is a digitally signed message part.