Re: Debians security features in comparison to Ubuntu
On 17.05.2014 21:33, Gunnar Wolf wrote: Joel Rees dijo [Sat, May 17, 2014 at 10:06:41PM +0900]: The problem is, that Debian lacks a page similar to: https://wiki.ubuntu.com/Security/Features Is that page really useful? I mean, besides as a sort of sales brochure? Agree with this. It would be nice to have such a page, but having it means we'd have to remember to keep it up to date. And it provides little value but (precisely) being a sales brochure. So... :) I did note that the debian pages on security are a bit dated. I suppose I should lend a hand there if I can find the time. How about you, do you have the time? You don't have to start out understanding the whole list, you just have to be willing to look up the debian packages, learn how their setup works, and write down what you learned, discuss it on the appropriate lists, then write up some summaries and submit them. If you do good work, you'll be invited to assume responsibility for some of the wiki pages. Right. And if the pages are generally seen as meaningful and well done, they might later become part of the official non-wiki webpage. This will be an issue with any OS you choose, even seriously secure OSses like openBSD. Is OpenBSD a seriously secure OS? I suppose it's easier to get into an openbsd server than it is to fly to the moon, but if you set up an openbsd server and keep it updated, attackers will generally find it easier to try social engineering instead of attacking the server directly. Modulo the services you run, but that's true of any OS. If you are running a hypertext protocol server and it has a hole, you have a hole in your server. That last paragraph is, I found, the most important. Very few people run OpenBSD in its default install (other than for firewalls or similar stuff). Once you set up a webserver with dynamically generated content, a DBMS, and similar stuff... Well, you will find the ports (their term for our packages) are not supported, and staying up to date is not as trivial as with Debian. OpenBSD is a *great* project and has contributed with many very important techniques. They have audited and improved many important packages (and the work they are currently doing with Open^WLibreSSL is just one such example). I would never say their work is not worth following. But as a sysadmin, many years ago I found Debian to be much preferrable — Because it cares about the overall security of a very large, very complex and wide-reaching set of programs, not just a core operating system around which to build whatever is needed. Last time I checked, OpenBSD didn't provide signed packages for the package manager by default. Using OpenBSD signed packages for updating only seemed ridiculously complicated. Basically, you're supposed to buy the CDs from the project. CDs are a bit harder to spoof than dns, and they come out every six months. The CDs are a way to support (read: fund) the project. To keep your install up-to-date, you must download (unsigned!) patches from Internet, apply them to the tree and rebuild the needed parts of the OS. You are supposed to read the patches to understand what you are doing, although I'm certain many people don't — That's why I wrote an auto-patcher back in 2003 (http://gwolf.org/soft/tepatche/ — It's amazing how bitrot affects even my webpages :-| )... But yes, nowadays I'd be much more uneasy with fetching code from a given FTP server and pushing it automatically into my systems. Hi, there I am a happy Debian and Arch user and have seen some FUD flying by recently about OpenBSD, so I thought I might as well correct it: OpenBSD 5.5 = The newest Release on may 1, 2014 They have added signify: Releases and packages are now cryptographically signed with the signify(1) http://www.openbsd.org/cgi-bin/man.cgi?query=signifysektion=1 utility. * The installer will verify all sets before installing. * Installing without verification works, but is discouraged. * Users are advised to verify the installer (bsd.rd, install55.iso, etc.) ahead of time using the signify(1) http://www.openbsd.org/cgi-bin/man.cgi?query=signifysektion=1#end tool if available. * pkg_add(1) http://www.openbsd.org/cgi-bin/man.cgi?query=pkg_addsektion=1 now only trusts signed packages by default. So finally OpenBSD also got signed packages. Bets regards, stoffl -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5378540d.2010...@yahoo.de
Re: Debians security features in comparison to Ubuntu
herzogbrigit...@t-online.de herzogbrigit...@t-online.de schrieb: Hello there, I'm a new user of the great Debian distro for my Desktop. But when I talked to a friend and I told him, that I'm using Debian (Wheezy) for my desktop computer, he told me that I shoudn't use it because it is not secure. He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. Your friend has missed a very important aspect: Ubuntu only provides security support for the main and restricted archive sections: https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support But since the universe section is enabled by default, you'll end up with a lot of unpatched security vulnerabilities on Ubuntu systems. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/slrnlnhast.2c4@inutil.org
Re: Debians security features in comparison to Ubuntu
On Sunday, 2014-05-18 at 14:46:21 +0200, Moritz Mühlenhoff wrote: Ubuntu only provides security support for the main and restricted archive sections: https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support But since the universe section is enabled by default, you'll end up with a lot of unpatched security vulnerabilities on Ubuntu systems. That must be why there are only 535 update packages for Trusty's Universe (for 35524 packages) and 1371 updates for Precise's 29406 packages... I admit that the numbers for multiverse are much lower (27 and 1), so your point is valid as soon as you enable the multiverse (672 and 741 packages). I guess you wouldn't get a very capable Ubuntu system if you disabled the Universe. Here is a table: Relase | Section| Packages | Security Updates Precise | Main | 8076 | 5407 Precise | Universe |29406 | 1371 Precise | Multiverse | 672 | 73 Trusty | Main | 8566 | 526 Trusty | Universe |35524 | 266 Trusty | Multiverse | 741 | 27 Numbers for Wheezy and Squeeze: Relase | Section | Packages | Security Updates Wheezy | Main |35944 | 1193 Wheezy | Non-free | 475 | 0 Wheezy | Contrib | 210 | 0 Squeeze | Main |28212 | 1777 Squeeze | Non-free | 403 | 0 Squeeze | Contrib | 187 | 1 So by sheer numbers Ubuntu has the better security. But I'm the first to admit that those numbers don't mean a lot except that somebody was really busy building packages... Lupe Christoph -- | The politician's syllogism:| | We must do something | | This is something | | Therefore, we must do this.| -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140518140522.ge22...@lupe-christoph.de
Re: Debians security features in comparison to Ubuntu
Thanks for the nice comparison. I never realized Debian main consists of so many packages, i always considered default ubuntu intallation not so secure due to universe repo enabled by default.. Here is one interesting presentation about Ubuntu trusty 14.04 security features: http://blog.dustinkirkland.com/2014/04/ubuntu-1404-lts-security-for-human.html On Sun, May 18, 2014 at 4:05 PM, Lupe Christoph l...@lupe-christoph.dewrote: On Sunday, 2014-05-18 at 14:46:21 +0200, Moritz Mühlenhoff wrote: Ubuntu only provides security support for the main and restricted archive sections: https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support But since the universe section is enabled by default, you'll end up with a lot of unpatched security vulnerabilities on Ubuntu systems. That must be why there are only 535 update packages for Trusty's Universe (for 35524 packages) and 1371 updates for Precise's 29406 packages... I admit that the numbers for multiverse are much lower (27 and 1), so your point is valid as soon as you enable the multiverse (672 and 741 packages). I guess you wouldn't get a very capable Ubuntu system if you disabled the Universe. Here is a table: Relase | Section| Packages | Security Updates Precise | Main | 8076 | 5407 Precise | Universe |29406 | 1371 Precise | Multiverse | 672 | 73 Trusty | Main | 8566 | 526 Trusty | Universe |35524 | 266 Trusty | Multiverse | 741 | 27 Numbers for Wheezy and Squeeze: Relase | Section | Packages | Security Updates Wheezy | Main |35944 | 1193 Wheezy | Non-free | 475 | 0 Wheezy | Contrib | 210 | 0 Squeeze | Main |28212 | 1777 Squeeze | Non-free | 403 | 0 Squeeze | Contrib | 187 | 1 So by sheer numbers Ubuntu has the better security. But I'm the first to admit that those numbers don't mean a lot except that somebody was really busy building packages... Lupe Christoph -- | The politician's syllogism:| | We must do something | | This is something | | Therefore, we must do this.| -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140518140522.ge22...@lupe-christoph.de
Re: Debians security features in comparison to Ubuntu
sorry, here's proper link to the presentation: https://docs.google.com/presentation/d/1_kTBIZLoT3VOGOFgTqjkQ3E0e4o_esV71RNzo4JuQI0/pub?start=falseloop=falsedelayms=3000#slide=id.ge4adadaf_1_645 s. On Sun, May 18, 2014 at 8:26 PM, Stanislav Bocinec sva...@gmail.com wrote: Thanks for the nice comparison. I never realized Debian main consists of so many packages, i always considered default ubuntu intallation not so secure due to universe repo enabled by default.. Here is one interesting presentation about Ubuntu trusty 14.04 security features: http://blog.dustinkirkland.com/2014/04/ubuntu-1404-lts-security-for-human.html On Sun, May 18, 2014 at 4:05 PM, Lupe Christoph l...@lupe-christoph.dewrote: On Sunday, 2014-05-18 at 14:46:21 +0200, Moritz Mühlenhoff wrote: Ubuntu only provides security support for the main and restricted archive sections: https://wiki.ubuntu.com/SecurityTeam/FAQ#Official_Support But since the universe section is enabled by default, you'll end up with a lot of unpatched security vulnerabilities on Ubuntu systems. That must be why there are only 535 update packages for Trusty's Universe (for 35524 packages) and 1371 updates for Precise's 29406 packages... I admit that the numbers for multiverse are much lower (27 and 1), so your point is valid as soon as you enable the multiverse (672 and 741 packages). I guess you wouldn't get a very capable Ubuntu system if you disabled the Universe. Here is a table: Relase | Section| Packages | Security Updates Precise | Main | 8076 | 5407 Precise | Universe |29406 | 1371 Precise | Multiverse | 672 | 73 Trusty | Main | 8566 | 526 Trusty | Universe |35524 | 266 Trusty | Multiverse | 741 | 27 Numbers for Wheezy and Squeeze: Relase | Section | Packages | Security Updates Wheezy | Main |35944 | 1193 Wheezy | Non-free | 475 | 0 Wheezy | Contrib | 210 | 0 Squeeze | Main |28212 | 1777 Squeeze | Non-free | 403 | 0 Squeeze | Contrib | 187 | 1 So by sheer numbers Ubuntu has the better security. But I'm the first to admit that those numbers don't mean a lot except that somebody was really busy building packages... Lupe Christoph -- | The politician's syllogism:| | We must do something | | This is something | | Therefore, we must do this.| -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140518140522.ge22...@lupe-christoph.de
Re: Debians security features in comparison to Ubuntu
Joel Rees: He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features That's a good list of all the currently fashionable security features for Linux. Some of the items in the list are meaningful, some are not. Most might be if you know what you are doing with them. None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. The problem is, that Debian lacks a page similar to: https://wiki.ubuntu.com/Security/Features As you can see, that https://wiki.ubuntu.com/Security/Features page looks impressive to new users. I guess Debian is losing a few users to Ubuntu, because Debian does not have such a page. This will be an issue with any OS you choose, even seriously secure OSses like openBSD. Is OpenBSD a seriously secure OS? Last time I checked, OpenBSD didn't provide signed packages for the package manager by default. Using OpenBSD signed packages for updating only seemed ridiculously complicated. http://www.openbsd.org/faq/faq1.html: OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system Well, for experts eventually, not for normal users! And I am wondering which security professionals they are quoting and from when these quotes are. Do not surf the web as root or as any administrator login id, of course. Speaking of admin login ids, it's a good idea to have one non-root login id that you only use for administrative tasks. And you should avoid getting onto the web when logged in with the admin id. Which means you need another id for general use, which makes two strong passwords, three if you allow root login. After reading the following blog post http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html it seems to me, that user account level isolation isn't very strong. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53774bb8.9020...@riseup.net
Re: Debians security features in comparison to Ubuntu
On Sat, May 17, 2014 at 8:44 PM, Patrick Schleizer adrela...@riseup.net wrote: Joel Rees: He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features That's a good list of all the currently fashionable security features for Linux. Some of the items in the list are meaningful, some are not. Most might be if you know what you are doing with them. None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. The problem is, that Debian lacks a page similar to: https://wiki.ubuntu.com/Security/Features Is that page really useful? I mean, besides as a sort of sales brochure? As you can see, that https://wiki.ubuntu.com/Security/Features page looks impressive to new users. I guess Debian is losing a few users to Ubuntu, because Debian does not have such a page. I did note that the debian pages on security are a bit dated. I suppose I should lend a hand there if I can find the time. How about you, do you have the time? You don't have to start out understanding the whole list, you just have to be willing to look up the debian packages, learn how their setup works, and write down what you learned, discuss it on the appropriate lists, then write up some summaries and submit them. If you do good work, you'll be invited to assume responsibility for some of the wiki pages. This will be an issue with any OS you choose, even seriously secure OSses like openBSD. Is OpenBSD a seriously secure OS? I suppose it's easier to get into an openbsd server than it is to fly to the moon, but if you set up an openbsd server and keep it updated, attackers will generally find it easier to try social engineering instead of attacking the server directly. Modulo the services you run, but that's true of any OS. If you are running a hypertext protocol server and it has a hole, you have a hole in your server. Last time I checked, OpenBSD didn't provide signed packages for the package manager by default. Using OpenBSD signed packages for updating only seemed ridiculously complicated. Basically, you're supposed to buy the CDs from the project. CDs are a bit harder to spoof than dns, and they come out every six months. http://www.openbsd.org/faq/faq1.html: OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system Well, for experts eventually, not for normal users! There is no operating system that is secure for people who aren't willing to learn how to admin the thing. And I am wondering which security professionals they are quoting and from when these quotes are. Search the web. Do not surf the web as root or as any administrator login id, of course. Speaking of admin login ids, it's a good idea to have one non-root login id that you only use for administrative tasks. And you should avoid getting onto the web when logged in with the admin id. Which means you need another id for general use, which makes two strong passwords, three if you allow root login. After reading the following blog post http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html it seems to me, that user account level isolation isn't very strong. That's why you don't surf the web as an admin user. There are lots of things I left out, to avoid dropping an elephant on the list. One is that you should avoid X11 user switching in general, and especially when you are doing admin work.. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43imw52ab6xtuf2imxtrerrdkrzylthb22cq2-nipccn...@mail.gmail.com
Re: Debians security features in comparison to Ubuntu
On Sat, 17 May 2014 11:44:56 + Patrick Schleizer adrela...@riseup.net wrote: After reading the following blog post http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html it seems to me, that user account level isolation isn't very strong. A very helpful link. I wasn't aware of that problem until now. Is there anything I can do against this, without using two different users? Are there any plans on changing this behaviour? signature.asc Description: PGP signature
Re: Debians security features in comparison to Ubuntu
That's a good list of all the currently fashionable security features for Linux. Some of the items in the list are meaningful, some are not. Most might be if you know what you are doing with them. None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. The problem is, that Debian lacks a page similar to: https://wiki.ubuntu.com/Security/Features As you can see, that https://wiki.ubuntu.com/Security/Features page looks impressive to new users. I guess Debian is losing a few users to Ubuntu, because Debian does not have such a page. Again, Debian is not in the business of handholding new Linux users, nor should it be. Debian is a foundation for targeted systems. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/a853a2f5-994e-46d1-aeb2-e9c2fec43...@vianet.ca
Re: Debians security features in comparison to Ubuntu
The problem is, that Debian lacks a page similar to: https://wiki.ubuntu.com/Security/Features As you can see, that https://wiki.ubuntu.com/Security/Features page looks impressive to new users. I guess Debian is losing a few users to Ubuntu, because Debian does not have such a page. Most of those features are also in debian, and the lack of a marketing page shouldn't so easily lead to that conclusion. Things get done in debian by volunteers, so the short falls that remain will only be addressed when those with the itch step up to fix them. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=MNeFuubRRBQTTC0Ytu4q_UcZU+S5ZSXqZbL=xyj80j...@mail.gmail.com
Re: Debians security features in comparison to Ubuntu
Joel Rees wrote On 17-05-14 03:19: He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. I might be misinterpreting your definition of meaningful, but I have been looking for a public entropy source for my Debian system for quite a while. If you can point me to the Debian equivalent of pollinate and https://entropy.ubuntu.com/ that would be highly appreciated. Kind regards, Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5377818b.3050...@vdberg.org
Re: Debians security features in comparison to Ubuntu
Heh. I took the bait on this one. On Sat, May 17, 2014 at 8:44 PM, Patrick Schleizer adrela...@riseup.net wrote: Joel Rees: He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features That's a good list of all the currently fashionable security features for Linux. Some of the items in the list are meaningful, some are not. Most might be if you know what you are doing with them. None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. The problem is, that Debian lacks a page similar to: https://wiki.ubuntu.com/Security/Features [...] Scroll down that page to the bottom. I'd say that lacks seems to be a bit of a strong word to use there. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAAr43iPOcda72JuhZofyKOcg6NM1=rnmj34mz931b0rwxyz...@mail.gmail.com
Re: Debians security features in comparison to Ubuntu
On Sat, May 17, 2014 at 10:39 PM, Sven Bartscher sven.bartsc...@weltraumschlangen.de wrote: On Sat, 17 May 2014 11:44:56 + Patrick Schleizer adrela...@riseup.net wrote: After reading the following blog post http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html it seems to me, that user account level isolation isn't very strong. A very helpful link. I wasn't aware of that problem until now. Is there anything I can do against this, without using two different users? Are there any plans on changing this behaviour? There are more reasons than the X11 hole to refrain from using your admin user to surf the web. If you are worried about needing to find answers to admin problems by searching the web, lynx helps somewhat. But I still restrict the places I visit with lynx while running as an admin to my search engine site, certain subdomains of debian.org, and such. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAAr43iMn2QnuB28=hrq+jf_ngwkof4md1zpph79kte_resg...@mail.gmail.com
Re: Debians security features in comparison to Ubuntu
On Sun, May 18, 2014 at 12:34 AM, Richard van den Berg rich...@vdberg.org wrote: Joel Rees wrote On 17-05-14 03:19: He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. I might be misinterpreting your definition of meaningful, but I have been looking for a public entropy source for my Debian system for quite a while. If you can point me to the Debian equivalent of pollinate and https://entropy.ubuntu.com/ that would be highly appreciated. Hmm. Early boot has problems getting enough randomness (for what?), so let's go get some randomness from a server somebody in the Ubuntu project set up. Pardon me for being cynical, but what could go worng? But the client is supposed to be 50 lines of golang, is it not? -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAAr43iMberAfPyOnx91eXj-AJQeF1SO+O=w_68txw4zkmbi...@mail.gmail.com
Re: Debians security features in comparison to Ubuntu
On Sat, May 17, 2014 at 11:18 PM, Reid Sutherland r...@vianet.ca wrote: That's a good list of all the currently fashionable security features for Linux. Some of the items in the list are meaningful, some are not. Most might be if you know what you are doing with them. None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. The problem is, that Debian lacks a page similar to: https://wiki.ubuntu.com/Security/Features As you can see, that https://wiki.ubuntu.com/Security/Features page looks impressive to new users. I guess Debian is losing a few users to Ubuntu, because Debian does not have such a page. Again, Debian is not in the business of handholding new Linux users, nor should it be. Debian is a foundation for targeted systems. Just for the record, https://wiki.debian.org/Hardening Yeah, I missed that at first, too. Sorry. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43ioisau6sian7jng6n_htxsvt2sbpw9rzkyvct+ardx...@mail.gmail.com
Re: Debians security features in comparison to Ubuntu
On Sun, 18 May 2014 01:09:06 +0900 Joel Rees joel.r...@gmail.com wrote: On Sat, May 17, 2014 at 10:39 PM, Sven Bartscher sven.bartsc...@weltraumschlangen.de wrote: On Sat, 17 May 2014 11:44:56 + Patrick Schleizer adrela...@riseup.net wrote: After reading the following blog post http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html it seems to me, that user account level isolation isn't very strong. A very helpful link. I wasn't aware of that problem until now. Is there anything I can do against this, without using two different users? Are there any plans on changing this behaviour? There are more reasons than the X11 hole to refrain from using your admin user to surf the web. Just out of curiosity, what are these reasons? If you are worried about needing to find answers to admin problems by searching the web, lynx helps somewhat. But I still restrict the places I visit with lynx while running as an admin to my search engine site, certain subdomains of debian.org, and such. I'm not only worried about my admin account. This is still a big security-hole for non-admins. Regards Sven signature.asc Description: PGP signature
Re: Debians security features in comparison to Ubuntu
On Sun, May 18, 2014 at 1:24 AM, Sven Bartscher sven.bartsc...@weltraumschlangen.de wrote: On Sun, 18 May 2014 01:09:06 +0900 Joel Rees joel.r...@gmail.com wrote: On Sat, May 17, 2014 at 10:39 PM, Sven Bartscher sven.bartsc...@weltraumschlangen.de wrote: On Sat, 17 May 2014 11:44:56 + Patrick Schleizer adrela...@riseup.net wrote: After reading the following blog post http://theinvisiblethings.blogspot.fr/2011/04/linux-security-circus-on-gui-isolation.html it seems to me, that user account level isolation isn't very strong. A very helpful link. I wasn't aware of that problem until now. Is there anything I can do against this, without using two different users? Are there any plans on changing this behaviour? There are more reasons than the X11 hole to refrain from using your admin user to surf the web. Just out of curiosity, what are these reasons? Your browser and any plugins, addons, etc. that it loads, including java, flash, java/ecmascript, and, well, any scripting language the browser can be running, for starters. Shoot, if my memory serves me, I seem to remember a class of vulnerabilities that has never really been answered, involving pushing keyboard loggers into the keyboard controller itself. If you are worried about needing to find answers to admin problems by searching the web, lynx helps somewhat. But I still restrict the places I visit with lynx while running as an admin to my search engine site, certain subdomains of debian.org, and such. I'm not only worried about my admin account. This is still a big security-hole for non-admins. The web is not safe. If you do internet banking, at least make a separate, dedicated account for that, too. And if you go places where maybe you should not let you go, re-think your reasons for going. I get a lot of flack for such suggestions, but I'm not going to tell you soft stories. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43in3xzmh9wfmuwkujtbkhdj1gervb2uq5hvbnxd7wgt...@mail.gmail.com
Re: Debians security features in comparison to Ubuntu
I might be misinterpreting your definition of meaningful, but I have been looking for a public entropy source for my Debian system for quite a while. If you can point me to the Debian equivalent of pollinate and https://entropy.ubuntu.com/ that would be highly appreciated. To transport the entropy securely, you need cryptography, which is preciously the thing you need entropy to. Public entropy source is an insecure crap with no security profit at all. More that than, it makes admins think their system is better secured. It isn't. -- Jan Matejka aka 'Moskyto' m...@ucw.cz -- Vanity of vanities, saith the Preacher; all is vanity. Ecclesiastes 1:2 signature.asc Description: Digital signature
Re: Debians security features in comparison to Ubuntu
Hello, Le 17 mai 2014 à 17:34, Richard van den Berg a écrit : Joel Rees wrote On 17-05-14 03:19: He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. I might be misinterpreting your definition of meaningful, but I have been looking for a public entropy source for my Debian system for quite a while. If you can point me to the Debian equivalent of pollinate and https://entropy.ubuntu.com/ that would be highly appreciated. Isn't it a better idea to use local entropy generators such as haveged instead of online ones ? I'm quite disturbed about using a online (and moreover third-party) service to improve security of a local system. In my sense, this requires a huge level of trust towards the considered service. In term of usage, i personally tested haveged on my servers to generate various GPG keys and it performs remarkably well. Best regards Emmanuel Thierry -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/24050730-4e5b-45d8-9c35-6cc63e7c7...@sekil.fr
Dedicated admin account (was Re: Debians security features in comparison to Ubuntu)
On Sun, 18 May 2014 01:36:44 +0900 Joel Rees joel.r...@gmail.com wrote: There are more reasons than the X11 hole to refrain from using your admin user to surf the web. Just out of curiosity, what are these reasons? Your browser and any plugins, addons, etc. that it loads, including java, flash, java/ecmascript, and, well, any scripting language the browser can be running, for starters. Shoot, if my memory serves me, I seem to remember a class of vulnerabilities that has never really been answered, involving pushing keyboard loggers into the keyboard controller itself. If you are worried about needing to find answers to admin problems by searching the web, lynx helps somewhat. But I still restrict the places I visit with lynx while running as an admin to my search engine site, certain subdomains of debian.org, and such. I'm not only worried about my admin account. This is still a big security-hole for non-admins. The web is not safe. If you do internet banking, at least make a separate, dedicated account for that, too. And if you go places where maybe you should not let you go, re-think your reasons for going. So basically I would need one account for surfing, one for online-banking, ssh(-agent) and other important stuff and an admin-account. Some accounts I missed? I know that's not gonna help, but I fell like there should be a better way to isolate processes. PS: Please don't CC me Regards Sven signature.asc Description: PGP signature
Re: Dedicated admin account (was Re: Debians security features in comparison to Ubuntu)
May be off topic, but IMO one should use an OS booted from DVD or write protected USB Stick for online banking. On 17. Mai 2014 18:50:42 MESZ, Sven Bartscher sven.bartsc...@weltraumschlangen.de wrote: On Sun, 18 May 2014 01:36:44 +0900 Joel Rees joel.r...@gmail.com wrote: There are more reasons than the X11 hole to refrain from using your admin user to surf the web. Just out of curiosity, what are these reasons? Your browser and any plugins, addons, etc. that it loads, including java, flash, java/ecmascript, and, well, any scripting language the browser can be running, for starters. Shoot, if my memory serves me, I seem to remember a class of vulnerabilities that has never really been answered, involving pushing keyboard loggers into the keyboard controller itself. If you are worried about needing to find answers to admin problems by searching the web, lynx helps somewhat. But I still restrict the places I visit with lynx while running as an admin to my search engine site, certain subdomains of debian.org, and such. I'm not only worried about my admin account. This is still a big security-hole for non-admins. The web is not safe. If you do internet banking, at least make a separate, dedicated account for that, too. And if you go places where maybe you should not let you go, re-think your reasons for going. So basically I would need one account for surfing, one for online-banking, ssh(-agent) and other important stuff and an admin-account. Some accounts I missed? I know that's not gonna help, but I fell like there should be a better way to isolate processes. PS: Please don't CC me Regards Sven -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
Re: Debians security features in comparison to Ubuntu
Le 17/05/2014 18:38, Jan Moskyto Matejka a écrit : I might be misinterpreting your definition of meaningful, but I have been looking for a public entropy source for my Debian system for quite a while. If you can point me to the Debian equivalent of pollinate and https://entropy.ubuntu.com/ that would be highly appreciated. To transport the entropy securely, you need cryptography, which is preciously the thing you need entropy to. Public entropy source is an insecure crap with no security profit at all. More that than, it makes admins think their system is better secured. It isn't. more than that : it is an excellent attack vector, since some cryptographic operation become weak when the attacker knows a bias of the generation of secrets. signature.asc Description: OpenPGP digital signature
Re: Dedicated admin account (was Re: Debians security features in comparison to Ubuntu)
On Sat, 17 May 2014 18:57:35 +0200 Franz Brandl franz.bra...@runbox.com wrote: May be off topic, but IMO one should use an OS booted from DVD or write protected USB Stick for online banking. Assuming that no remote attacker can plug my HBCI-cardreader into the USB-HUB, I think that is not necessary. On 17. Mai 2014 18:50:42 MESZ, Sven Bartscher sven.bartsc...@weltraumschlangen.de wrote: On Sun, 18 May 2014 01:36:44 +0900 Joel Rees joel.r...@gmail.com wrote: There are more reasons than the X11 hole to refrain from using your admin user to surf the web. Just out of curiosity, what are these reasons? Your browser and any plugins, addons, etc. that it loads, including java, flash, java/ecmascript, and, well, any scripting language the browser can be running, for starters. Shoot, if my memory serves me, I seem to remember a class of vulnerabilities that has never really been answered, involving pushing keyboard loggers into the keyboard controller itself. If you are worried about needing to find answers to admin problems by searching the web, lynx helps somewhat. But I still restrict the places I visit with lynx while running as an admin to my search engine site, certain subdomains of debian.org, and such. I'm not only worried about my admin account. This is still a big security-hole for non-admins. The web is not safe. If you do internet banking, at least make a separate, dedicated account for that, too. And if you go places where maybe you should not let you go, re-think your reasons for going. So basically I would need one account for surfing, one for online-banking, ssh(-agent) and other important stuff and an admin-account. Some accounts I missed? I know that's not gonna help, but I fell like there should be a better way to isolate processes. PS: Please don't CC me Regards Sven -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. signature.asc Description: PGP signature
Re: Dedicated admin account (was Re: Debians security features in comparison to Ubuntu)
On Sun, May 18, 2014 at 1:50 AM, Sven Bartscher sven.bartsc...@weltraumschlangen.de wrote: On Sun, 18 May 2014 01:36:44 +0900 Joel Rees joel.r...@gmail.com wrote: There are more reasons than the X11 hole to refrain from using your admin user to surf the web. Just out of curiosity, what are these reasons? Your browser and any plugins, addons, etc. that it loads, including java, flash, java/ecmascript, and, well, any scripting language the browser can be running, for starters. Shoot, if my memory serves me, I seem to remember a class of vulnerabilities that has never really been answered, involving pushing keyboard loggers into the keyboard controller itself. If you are worried about needing to find answers to admin problems by searching the web, lynx helps somewhat. But I still restrict the places I visit with lynx while running as an admin to my search engine site, certain subdomains of debian.org, and such. I'm not only worried about my admin account. This is still a big security-hole for non-admins. The web is not safe. If you do internet banking, at least make a separate, dedicated account for that, too. And if you go places where maybe you should not let you go, re-think your reasons for going. So basically I would need one account for surfing, one for online-banking, ssh(-agent) and other important stuff and an admin-account. Some accounts I missed? I know that's not gonna help, but I fell like there should be a better way to isolate processes. There are some experiments in sandboxing in the browser, other, more general experiments in sandboxing apps in general. Somebody mentioned Qube or some such. Openbsd is partially mitigating the X11 hole with some interesting stuff. I have a poor-man's sandbox that I blogged about several years back, but I got it wrong relative to X11, if I remember right. I suppose I should do some testing and update my blog, but nobody's read that post in the last year, I think. But that method, involving sudo, does, at least, isolate the javascript code and the cookies. If you have a million dollars to front a project for the next three years and feed me and my family and about ten developers, I might be able to produce a Linux or BSD derivative that allows you to log in as one user and fire up ephemeral users for tasks. The bulk of the development is going to go into isolating the video buffers, I think. And the resulting video will be slow, probably won't be able to use most of the current hardware acceleration. I jest. I have other things I want to do. Cheaper and quicker to just get used to separating what you do and how you log in. Well, xen or one of the other VMs might help. But I'm not sure even those will properly isolate the video buffers to avoid screen-scraping. PS: Please don't CC me Sorry about that. I usually remember to delete the sender. Too lazy to set up a proper MUA for mailing list access. -- Joel Rees Computer memory is just fancy paper, the cpu and i/o are just fancy pens. This is not the magic you are looking for. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43ios-hxrketyaymyetxcgux33ym59_v5m5evn3m-+v7...@mail.gmail.com
Re: Debians security features in comparison to Ubuntu
Joel Rees wrote On 17-05-14 18:20: Hmm. Early boot has problems getting enough randomness (for what?), To seed the kernel random number generator. so let's go get some randomness from a server somebody in the Ubuntu project set up. I never said it was a great solution, but the lack of good quality entropy on headless (virtual) Linux systems is a real problem. I merely asked if the Debian project provides something similar, or hopefully better. Kind regards, Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5377b3e9.3080...@vdberg.org
Re: Debians security features in comparison to Ubuntu
Emmanuel Thierry wrote On 17-05-14 18:37: Isn't it a better idea to use local entropy generators such as haveged instead of online ones ? Haveged is great, but IMHO it cannot replace a hardware PRNG. I'm quite disturbed about using a online (and moreover third-party) service to improve security of a local system. In my sense, this requires a huge level of trust towards the considered service. I agree with you, but one can argue that increasing the entropy of a system by using an online service provided by the same organization that distributes the software of that system does not decrease the overall security of that system. Kind regards, Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5377b5dd.8010...@vdberg.org
Re: Debians security features in comparison to Ubuntu
Joel Rees dijo [Sat, May 17, 2014 at 10:06:41PM +0900]: The problem is, that Debian lacks a page similar to: https://wiki.ubuntu.com/Security/Features Is that page really useful? I mean, besides as a sort of sales brochure? Agree with this. It would be nice to have such a page, but having it means we'd have to remember to keep it up to date. And it provides little value but (precisely) being a sales brochure. So... :) I did note that the debian pages on security are a bit dated. I suppose I should lend a hand there if I can find the time. How about you, do you have the time? You don't have to start out understanding the whole list, you just have to be willing to look up the debian packages, learn how their setup works, and write down what you learned, discuss it on the appropriate lists, then write up some summaries and submit them. If you do good work, you'll be invited to assume responsibility for some of the wiki pages. Right. And if the pages are generally seen as meaningful and well done, they might later become part of the official non-wiki webpage. This will be an issue with any OS you choose, even seriously secure OSses like openBSD. Is OpenBSD a seriously secure OS? I suppose it's easier to get into an openbsd server than it is to fly to the moon, but if you set up an openbsd server and keep it updated, attackers will generally find it easier to try social engineering instead of attacking the server directly. Modulo the services you run, but that's true of any OS. If you are running a hypertext protocol server and it has a hole, you have a hole in your server. That last paragraph is, I found, the most important. Very few people run OpenBSD in its default install (other than for firewalls or similar stuff). Once you set up a webserver with dynamically generated content, a DBMS, and similar stuff... Well, you will find the ports (their term for our packages) are not supported, and staying up to date is not as trivial as with Debian. OpenBSD is a *great* project and has contributed with many very important techniques. They have audited and improved many important packages (and the work they are currently doing with Open^WLibreSSL is just one such example). I would never say their work is not worth following. But as a sysadmin, many years ago I found Debian to be much preferrable — Because it cares about the overall security of a very large, very complex and wide-reaching set of programs, not just a core operating system around which to build whatever is needed. Last time I checked, OpenBSD didn't provide signed packages for the package manager by default. Using OpenBSD signed packages for updating only seemed ridiculously complicated. Basically, you're supposed to buy the CDs from the project. CDs are a bit harder to spoof than dns, and they come out every six months. The CDs are a way to support (read: fund) the project. To keep your install up-to-date, you must download (unsigned!) patches from Internet, apply them to the tree and rebuild the needed parts of the OS. You are supposed to read the patches to understand what you are doing, although I'm certain many people don't — That's why I wrote an auto-patcher back in 2003 (http://gwolf.org/soft/tepatche/ — It's amazing how bitrot affects even my webpages :-| )... But yes, nowadays I'd be much more uneasy with fetching code from a given FTP server and pushing it automatically into my systems. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140517193308.ga4...@gwolf.org
Re: Debians security features in comparison to Ubuntu
On 16.05.2014 22:38, herzogbrigit...@t-online.de wrote: Hello there, Hi There is some info https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#hardening http://www.ubuntu.com/about/about-ubuntu/ubuntu-and-debian https://wiki.ubuntu.com/DebianImportFreeze Practically Ubuntu is snapshot of Debian testing with some Debian unstable packages with unity desktop. http://en.wikipedia.org/wiki/Unity_%28user_interface%29 I think at with security related there are very little of differencies and most in case you can quite easily enable security mechanics to Debian if some is enabled default at Ubuntu but not in Wheezy. https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html There are some differencies root vs sudo, but i think at overall security level is quite same, but Ubuntu's universe repo isn't same level at quality as Ubuntu's main. I think at Debian owns bigger high quality repos than Ubuntu, but Ubuntu have newer packages, but for me Wheezy is enough bleeding edge even with desktop. Yes i know there lot of differnt opions about stable and desktop use, but for me i am quite satisfied today's policy which upgrades browser's, firmwares at timely manner. Regards, Riku I'm a new user of the great Debian distro for my Desktop. But when I talked to a friend and I told him, that I'm using Debian (Wheezy) for my desktop computer, he told me that I shoudn't use it because it is not secure. He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features So, I'm very happy with Debian but because my friend seems to be an expert for Linux, I don't know if I can use Debian. Can you tell me which of the security features promoted by Ubuntu are also enabled in Debian? Thank you very much! Brigitte Herzog Mit einer kostenlosen E-Mail-Adresse @t-online.de werden Ihre Daten verschlüsselt übertragen und in Deutschland gespeichert. www.t-online.de/email-kostenlos -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53767f0a.10...@vallit.fi
Re: Debians security features in comparison to Ubuntu
On 05/16/2014 04:11 PM, Riku Valli wrote: On 16.05.2014 22:38, herzogbrigit...@t-online.de wrote: Hello there, Hi There is some info https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#hardening http://www.ubuntu.com/about/about-ubuntu/ubuntu-and-debian https://wiki.ubuntu.com/DebianImportFreeze Practically Ubuntu is snapshot of Debian testing with some Debian unstable packages with unity desktop. http://en.wikipedia.org/wiki/Unity_%28user_interface%29 I think at with security related there are very little of differencies and most in case you can quite easily enable security mechanics to Debian if some is enabled default at Ubuntu but not in Wheezy. https://www.debian.org/doc/manuals/securing-debian-howto/index.en.html There are some differencies root vs sudo, but i think at overall security level is quite same, but Ubuntu's universe repo isn't same level at quality as Ubuntu's main. I think at Debian owns bigger high quality repos than Ubuntu, but Ubuntu have newer packages, but for me Wheezy is enough bleeding edge even with desktop. Yes i know there lot of differnt opions about stable and desktop use, but for me i am quite satisfied today's policy which upgrades browser's, firmwares at timely manner. Regards, Riku I'm a new user of the great Debian distro for my Desktop. But when I talked to a friend and I told him, that I'm using Debian (Wheezy) for my desktop computer, he told me that I shoudn't use it because it is not secure. He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features So, I'm very happy with Debian but because my friend seems to be an expert for Linux, I don't know if I can use Debian. Can you tell me which of the security features promoted by Ubuntu are also enabled in Debian? Thank you very much! Brigitte Herzog Mit einer kostenlosen E-Mail-Adresse @t-online.de werden Ihre Daten verschlüsselt übertragen und in Deutschland gespeichert. www.t-online.de/email-kostenlos Any system (Even Windows.) is as secure as you put into it. Though out of the box I think Debian Stable is probably more secure as the packages are allowed more of an LTS cycle than Ubuntu. The biggest security hole is the user, not the software. If you're security minded, or even paranoid, you can harden Debian to ridiculous degrees. Conrad -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53768311.3090...@marupa.net
Re: Debians security features in comparison to Ubuntu
From my view, Debian is designed to be flexible and does not impose any unnecessary features on the user. For this reason, I find it is best for new users to operate distributions that are more targeted to their needs. Distributions such as Ubuntu come with reasonable defaults for the market they are supporting (desktop / office users in this case), while Debian is more of a base system offering “factory” defaults that are usually customized by more experienced users. The same idea can apply to the various security layers added to the system, Ubuntu may activate these layers by default, while Debian will defer these decisions to the user. On May 16, 2014, at 3:38 PM, herzogbrigit...@t-online.de wrote: Hello there, I'm a new user of the great Debian distro for my Desktop. But when I talked to a friend and I told him, that I'm using Debian (Wheezy) for my desktop computer, he told me that I shoudn't use it because it is not secure. He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features So, I'm very happy with Debian but because my friend seems to be an expert for Linux, I don't know if I can use Debian. Can you tell me which of the security features promoted by Ubuntu are also enabled in Debian? Thank you very much! Brigitte Herzog Mit einer kostenlosen E-Mail-Adresse @t-online.de werden Ihre Daten verschlüsselt übertragen und in Deutschland gespeichert. www.t-online.de/email-kostenlos -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1wlnxn-1qsf...@fwd38.aul.t-online.de -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/72774483-e144-42a7-abe9-b5cb69026...@vianet.ca
Re: Debians security features in comparison to Ubuntu
On Sat, May 17, 2014 at 6:41 AM, Reid Sutherland r...@vianet.ca wrote: [response shifted to conversational format] On May 16, 2014, at 3:38 PM, herzogbrigit...@t-online.de wrote: Hello there, I'm a new user of the great Debian distro for my Desktop. But when I talked to a friend and I told him, that I'm using Debian (Wheezy) for my desktop computer, he told me that I shoudn't use it because it is not secure. He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features So, I'm very happy with Debian but because my friend seems to be an expert for Linux, I don't know if I can use Debian. Can you tell me which of the security features promoted by Ubuntu are also enabled in Debian? Thank you very much! Brigitte Herzog From my view, Debian is designed to be flexible and does not impose any unnecessary features on the user. For this reason, I find it is best for new users to operate distributions that are more targeted to their needs. Distributions such as Ubuntu come with reasonable defaults for the market they are supporting (desktop / office users in this case), while Debian is more of a base system offering “factory” defaults that are usually customized by more experienced users. The same idea can apply to the various security layers added to the system, Ubuntu may activate these layers by default, while Debian will defer these decisions to the user. While there is a point to the idea that distros like Ubuntu and Mint are set up more oriented towards the beginner or the user who doesn't want to waste time on system administration, it is highly questionable whether certain of the added security features actually increase security. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAAr43iNaDfhpRZ_w=tcennddh7wl++6kzpcs+t3w8mdx1jr...@mail.gmail.com
Re: Debians security features in comparison to Ubuntu
On Sat, May 17, 2014 at 4:38 AM, herzogbrigit...@t-online.de herzogbrigit...@t-online.de wrote: Hello there, I'm a new user of the great Debian distro for my Desktop. But when I talked to a friend and I told him, that I'm using Debian (Wheezy) for my desktop computer, he told me that I shoudn't use it because it is not secure. Maybe he meant that he didn't figure you could secure your Debian system as well as Ubuntu secures the Debian system for some definition of average user. (Are you the average user that the Canonical team imagines?) Otherwise, he was telling you that Ubuntu is secure even though the foundation of Ubuntu is not. Which is not the case, at any rate. He told me to use Ubuntu instead. He explained that with the fact, that Ubuntu has more security features enabled than Debian (also more compiler flags for security) in a fresh install. He gave me a link to the following site: https://wiki.ubuntu.com/Security/Features That's a good list of all the currently fashionable security features for Linux. Some of the items in the list are meaningful, some are not. Most might be if you know what you are doing with them. None of the meaningful items in that list are unavailable on Debian, and the defaults are reasonably secure in Debian. So, I'm very happy with Debian but because my friend seems to be an expert for Linux, I don't know if I can use Debian. Can you tell me which of the security features promoted by Ubuntu are also enabled in Debian? Security is not a package you can buy or download. Whether you choose Ubuntu or Debian, if you are concerned about security, you need to spend time learning about it The partly out-of-date pages that Riku gave you links to are a good place to start. The first question I would ask (but don't answer me, of course) is how good your passwords are. This will be an issue with any OS you choose, even seriously secure OSses like openBSD. Your passwords should be at least ten characters, preferably twelve or more, include alphabet and numbers and one or two punctuation marks. One I used to use was something like MIro$0fT5t!NKs. But don't use that, of course. (When I realized that too many people know my prejudices, I decided I shouldn't use it.) The next question is whether you allow root login. (Again, don't answer me, on or off list. Just check yourself.) If you allow root login at all, use an extra strong password for root. You probably do not want to allow root login from the network, but you may want to allow root login from the console. Changing the port sshd listens to is also a good idea. Do not surf the web as root or as any administrator login id, of course. Speaking of admin login ids, it's a good idea to have one non-root login id that you only use for administrative tasks. And you should avoid getting onto the web when logged in with the admin id. Which means you need another id for general use, which makes two strong passwords, three if you allow root login. If you have a habit of downloading random apps from the internet, unlearn that habit. Use your package manager instead, and think twice or more about the apps that you can't get through your package manager. (This is turning into another blog post, I think.) Anyway, the basics of security are the same, whether you use Debian, Ubuntu, Fedora, openBSD, whatever. -- Joel Rees Be careful where you see conspiracy. Look first in your own heart. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caar43inlxo_dxsp_b+q1mxuunyefuynycej_mqw3bkrw+ys...@mail.gmail.com