Linux Security Myths: OLF talk by Mackenzie Morgan (maco)
[Linux] people will say "there are no viruses!" - and normal users will hear "nothing bad can happen!"
...and they're wrong.
--Mackenzie "Maco" Morgan, OLF 2010
I'm liveblogging from Maco's talk at the 2010 Ohio Linux Fest (OLF) titled "Linux Security Myths," where she's going through the security exploits that "normal" Linux users can get hit by. Just because the Linux virus record is practically spotless compared to that of Windows doesn't mean us FOSS users can get off scot-free - we've still got to exercise common sense. As Maco said during her slide on phishing, "there's no patch for gullibility."
The talk started with an overview of a few common types of attacks, explaining terminology for newcomers in the audience: viruses, social engineering, trojans, worms, botnets, rootkits. Maco's slides (which will be available on her blog soon) and Wikipedia explain these better than I can, so I'll let them do that. She also talked about browser-based attacks, which are big and will be even bigger as we become more reliant on webservices - sure, Internet Explorer (and its legions of vulnerabilities) isn't a problem on Linux, but Firefox and Opera and Chrom{e,ium} are cross-platform, so the same dangers apply here.
- When installing software, use the repositories provided by your distribution! Don't just click around the internet and randomly download and install things; software that makes it into a distribution's repo has been vetted and tested by that distribution and can be trusted (inasmuch as you trust code and content coming from that distribution - but in my opinion, I'd rather trust Fedora's multiple levels of sanity-checks than some random third-party developer I don't know).
- Many package managers (the software your distribution provides to help you find and install new applications - for instance, PackageKit) will tell you if the signatures of the software you're about to install seem "off" in some way. These (digital) signatures are ways for a program to say "I am the code you think you're downloading, and I was by the people you think actually made me," so if you get an alert that something's funny about a signature, that's a warning to pay attention to.
Actually, the sorts of points made in this talk are the ones I'd love to see turned into a one-page "Your Linux System: what you need to learn about security" guide (more cleverly named, of course) for newcomers to the Linux community - for instance, as a handout at installfests to take home with your shiny new system.
What don't new users know about security that you wish they did? What did you not know about security as a new Linux user that you later discovered and wished someone had told you from the start?