Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
charcircuit 5 days ago

Unfortunately, hearing this is not surprising since desktop Linux users tolerate having poor security and rely on never ever running malware to keep themselves safe over having the operating system itself protect against malware.

zahlman 4 days ago | parent | next [-]

> Unfortunately, hearing this is not surprising since [users of an OS with a built-in file permissions system] tolerate having poor security and rely on [thinking about whom to trust and primarily sourcing their software from the distro package manager] to keep themselves safe over having the operating system itself [apply heuristics to try to decide whether things the user downloaded from random web sites are malware, while completely failing to provide transparency on whether double-clicking something will supply it as data to an existing program or treat it as itself a program].

I'm not understanding how it's the desktop Linux users who have to deal with poor security.

charcircuit 4 days ago | parent | next [-]

>I'm not understanding how it's the desktop Linux users who have to deal with poor security.

On Linux Mint if you run a program without granting any extra permissions it can: Record your mic, record your camera, record your screen, steal your browser history/ cookies/passwords, alias sudo or show a fake update dialog to collect the user's password to elevate to root, see if you copied a crypto address and replace it with a similar looking one owned by the attacker, encrypt all of your files, send any sensitive pictures or documents to the attacker, etc.

The existence of a 50 year old concept of file permission is not good enough to combat the modern security problems users can encounter.

sugarpimpdorsey 4 days ago | parent | prev | next [-]

> users of an OS with a built-in file permissions system

Lot of good that will do you when Linux users will curl | bash most any garbage.

The Windows NT file permission system is far more advanced (and I'm not even including AppLocker or software whitelisting).

> thinking about whom to trust and primarily sourcing their software from the distro package manager

So "app store" is the wave of the future?

The days of Linux users using magic healing crystals to protect themselves from malware are long over. Most malware these days targets Linux servers. If you think chmod u+x is what is preventing your computer from catching digital AIDS I have news for you.

bayindirh 4 days ago | parent [-]

> Lot of good that will do you when Linux users will curl | bash most any garbage.

Same for Windows users who zoom through UAC prompts without reading.

> The Windows NT file permission system is far more advanced (and I'm not even including AppLocker or software whitelisting).

...and much more convoluted and easy to break while most systems allow unfettered access to everywhere. On the other hand SELinux and AppArmor already provide transparent system isolation for decades now, and they are completely invisible. If you want even more security, you can install an immutable distro.

> So "app store" is the wave of the future?

App stores are capitalist versions of software repositories which are present for more than 20 years now? Plus, these repositories are generally well-vetted and observed by their maintainers.

> Most malware these days targets Linux servers. If you think chmod u+x is what is preventing your computer from catching digital AIDS I have news for you.

No, instead many sysadmins who know what they're doing are depending on a layered security system, provided by Linux kernel and its peripheries. Containers, CGroups, namespaces, SELinux/AppArmor, package integrity checks, multiple limited users (with reduced capabilities as well), UNIX file permissions, and many more.

If you think Linux only has file permissions for system security, I have news for you.

charcircuit 3 days ago | parent [-]

>zoom through UAC prompts without reading.

UAC is not a security boundary, so it is not relevant when talking about security.

>SELinux and AppArmor already provide transparent system isolation for decades

If they are setup and most Linux distros only limit individual apps. So a brand new app can still run wild.

>you can install an immutable distro.

Even immutable distros let people download new software off the internet and run it.

>Plus, these repositories are generally well-vetted and observed by their maintainers.

This has been shown to be false in practice due to the xz backdoor. Maintainers do not actually vet anything other than that the code is coming from the developer. Which is also what app stores do.

akimbostrawman 3 days ago | parent [-]

>UAC is not a security boundary, so it is not relevant when talking about security.

That is there excuses but you don't seem to realize that this makes it only worse because that means there is no boundary at all.

>If they are setup and most Linux distros only limit individual apps. So a brand new app can still run wild.

new apps will be either installed from a trusted repository (often with a MAC profile) or sandboxed by default from flatpak/snap store. You don't seem to understand that the entire install process is different. You don't get your software from random sites found on Google between malware ads on Linux.

>This has been shown to be false in practice due to the xz backdoor

XZ has nothing to to with a lack of vetting and even if it was it would be an argument for it because it got caught in testing.

sugarpimpdorsey 3 days ago | parent [-]

> XZ has nothing to to with a lack of vetting and even if it was it would be an argument for it because it got caught in testing.

This is absolutely false, it was not caught in any sort of regular testing whatsoever.

It was caught by - of all people - a Microsoft employee who noticed SSH logins were taking a split second too long. Not distro packagers. The packages were already staged in the testing branches of the distros they were targeting and could have easily made it into the LTS versions had this one curious MS guy not noticed.

bayindirh a day ago | parent | next [-]

> could have easily made it into the LTS versions had this one curious MS guy not noticed.

LTS doesn't mean set in stone. Debian publishes fixes within 24 hours in most cases, even if the upstream doesn't provide any, plus some packages come with Debian's own security patches on top of upstream patches.

Linux security landscape is very different than Windows' central "we'll patch it when we patch it" stance.

akimbostrawman 3 days ago | parent | prev [-]

>This is absolutely false, it was not caught in any sort of regular testing whatsoever

>The packages were already staged in the testing branches

Thanks for making my argument for me. It was also literally caught in (Debian) TESTING.

It does not matter for who he works unless you believe a cooperation owns there employees time and achievements 24/7.

He notices something off, tested it, looked at the source code (impossible on windows ;) and reported the issue he found which got quickly and transparently (also impossible on windows) fixed. Again that is how FOSS should work and why it's superior to proprietary software.

literalAardvark 4 days ago | parent | prev [-]

Because you're starting from a poor understanding of the security process in general. File permissions are the least of your worries.

akimbostrawman 4 days ago | parent | prev | next [-]

Of course unlike windows billion dollar heightened security of getting flooded with UAC and MOTW pops up everybody is conditioned to click yes as fast as possible caused by the proven "download random executables from the first site you see on google and hope it's not malwaretising" method.

AAAAaccountAAAA 4 days ago | parent | prev [-]

The desktop security model is pretty much the same across the vendors. Somehow, Microsoft seems to get a free pass on this.