Personal computing discussed

Moderators: renee, SecretSquirrel, notfred

 
synthtel2
Gerbil Elite
Posts: 956
Joined: Mon Nov 16, 2015 10:30 am

Re: Linux Mythbusting

Sun Dec 04, 2016 3:23 pm

just brew it! wrote:
The combination of tiny market share and the large number of different distros/versions that would need to be targeted means the ROI just isn't there for the malware writers.

There's a myth that could use some busting: cross-distro compatibility is a problem. It mostly isn't. I'm in the trenches of this one all the time due to gaming on Arch, and despite most Linux games being targeted at Ubuntu, I very rarely run into any trouble.

I used to have issues once in a while, and it was always libpng12's fault (meaning 1.2, the old version). Libpng did some sloppy work, 1.2 isn't compatible with newer versions, and Arch moved to latest a whole lot faster than Ubuntu, leaving games targeting 1.2 and me without it (through the default channels, at least). It was always a pretty simple fix when it was an issue, and Arch put libpng12 back in the standard repos at some point, so it's a total non-issue now. Running into that kind of problem with any other library is once in a blue moon, in my experience.

I imagine things would go a lot worse if you tried to game on CentOS or something, as presumably too old is a lot worse than too new. Games' usual target seems to be Ubuntu 12.04 or 14.04 though, so you don't need to be on the bleeding edge of anything.

Packaging systems are more fragmented than many other parts of a distro, but you can still target the vast majority with just .deb and .rpm, and freestanding installs (.tar.gz or an executable installer) work fine for the rest. I've never run into a game that didn't make something available for a freestanding install.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Linux Mythbusting

Sun Dec 04, 2016 4:10 pm

I was thinking more in terms of the security vulnerabilities being less portable. Once you're in, yeah the payload can be made reasonably portable. Just need to stick to standard system calls and C runtime (or use a commonly available portable language like Perl or Python).
Nostalgia isn't what it used to be.
 
synthtel2
Gerbil Elite
Posts: 956
Joined: Mon Nov 16, 2015 10:30 am

Re: Linux Mythbusting

Sun Dec 04, 2016 6:24 pm

Yeah, malware would have more trouble with that; I could have been more clear in that I meant my comment to be on the entire thread, not the malware angle in particular. I do see people use cross-distro compatibility as an anti-Linux argument fairly often, and it bugs me. It's more difficult than in Windows-land, yeah, but it isn't difficult in absolute terms.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Linux Mythbusting

Mon Dec 05, 2016 5:23 am

synthtel2 wrote:
Yeah, malware would have more trouble with that; I could have been more clear in that I meant my comment to be on the entire thread, not the malware angle in particular. I do see people use cross-distro compatibility as an anti-Linux argument fairly often, and it bugs me. It's more difficult than in Windows-land, yeah, but it isn't difficult in absolute terms.

It depends on the relative ages of the distros involved and how many external dependencies the package has. If the distros are of roughly the same vintage, and/or the app/service is a simple one with few external dependencies, yeah you've got a decent chance of being able to move binaries across. But when dealing with complex applications on distros that were released years apart, you're more likely than not to fall down a dependency rabbit hole.

TBH this is largely a cultural issue (but with technical ramifications), on both sides. Yes, it's a given that the Linux ecosystem pays less attention to binary compatibility in general. To long-time Windows users this seems bizarre -- "What do you mean, I can't just got to website X, download something, and install it?" -- because they're not accustomed to the paradigm where nearly everything you need is already pre-packaged in a central, distro-specific repository. For their part, the "That's a feature, not a bug!" mindset of the Linux evangelists (no doubt driven by the foundation principle that you should have source code for everything anyway) is problematic too; it encourages developers to play fast and lose with ABIs/APIs, which causes headaches for everyone. The fragile nature of proprietary GPU drivers on Linux is due in part to the need for a "shim" module to insulate the proprietary (binary) part of the driver from potential changes to the underlying kernel ABIs it relies on; the driver installer must recompile this shim from source every time the driver is installed.
Nostalgia isn't what it used to be.
 
synthtel2
Gerbil Elite
Posts: 956
Joined: Mon Nov 16, 2015 10:30 am

Re: Linux Mythbusting

Mon Dec 12, 2016 10:19 pm

Well, wasn't this discussion timely. I just got hacked about an hour ago. Thanks to Linux, it was at least obvious right away that something was wrong. I guess I'll create a thread with more detail once it's clearer what happened.
 
whm1974
Emperor Gerbilius I
Topic Author
Posts: 6361
Joined: Fri Dec 05, 2014 5:29 am

Re: Linux Mythbusting

Mon Dec 12, 2016 10:39 pm

synthtel2 wrote:
Well, wasn't this discussion timely. I just got hacked about an hour ago. Thanks to Linux, it was at least obvious right away that something was wrong. I guess I'll create a thread with more detail once it's clearer what happened.

Is this the first time you have been hacked?
 
Ninjitsu
Gerbil Team Leader
Posts: 219
Joined: Thu Feb 20, 2014 3:46 am

Re: Linux Mythbusting

Mon Dec 12, 2016 11:35 pm

just brew it! wrote:
How widespread is that myth, anyhow?

Very widespread, just like "macs/ios doesn't get viruses".
 
synthtel2
Gerbil Elite
Posts: 956
Joined: Mon Nov 16, 2015 10:30 am

Re: Linux Mythbusting

Mon Dec 12, 2016 11:47 pm

whm1974 wrote:
Is this the first time you have been hacked?

Yup.

To be a bit clearer, the smoking gun (found after some other suspicious activity) is that my computer was sending h.264 in GVSP to some IP belonging to Bell Canada (it looked like a VPS). I have a tough time imagining what would be more suspicious than that.
 
Waco
Maximum Gerbil
Posts: 4850
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Linux Mythbusting

Tue Dec 13, 2016 10:20 am

sophisticles wrote:
Consider, if you do a clean install of any Windows OS, XP, Vista, Win 7/8/8.1/10, you install the OS and it defaults to a root account, with full control and ability to change any setting, registry key or install/remove/run any software as you see fit.

Not since Vista is this true. Sure, UAC is annoying, but it blocks a lot of the nasty crap that can get by when running an unrestricted admin account.

The only real difference between a UAC-protected admin account and a regular *nix user account with sudo is the method of allowing privileged execution (click vs. password). No?
Victory requires no explanation. Defeat allows none.
 
sophisticles
Gerbil First Class
Posts: 115
Joined: Sun Jul 13, 2014 7:22 am

Re: Linux Mythbusting

Tue Dec 13, 2016 11:32 am

Waco wrote:
sophisticles wrote:
Consider, if you do a clean install of any Windows OS, XP, Vista, Win 7/8/8.1/10, you install the OS and it defaults to a root account, with full control and ability to change any setting, registry key or install/remove/run any software as you see fit.

Not since Vista is this true.  Sure, UAC is annoying, but it blocks a lot of the nasty crap that can get by when running an unrestricted admin account.

The only real difference between a UAC-protected admin account and a regular *nix user account with sudo is the method of allowing privileged execution (click vs. password). No?

No. It's trivial to bypass UAC, with a password you need to code an automatic input of a password (doable) but you also need a method of figuring out the password (not that easy).
https://www.greyhathacker.net/?p=796
https://enigma0x3.net/2016/08/15/filele ... hijacking/
https://enigma0x3.net/2016/07/22/bypass ... k-cleanup/
 
Waco
Maximum Gerbil
Posts: 4850
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Linux Mythbusting

Tue Dec 13, 2016 11:37 am

sophisticles wrote:
No. It's trivial to bypass UAC, with a password you need to code an automatic input of a password (doable) but you also need a method of figuring out the password (not that easy).
https://www.greyhathacker.net/?p=796
https://enigma0x3.net/2016/08/15/filele ... hijacking/
https://enigma0x3.net/2016/07/22/bypass ... k-cleanup/

Those all require the user to accept the prompt at least one time. I see no difference between that and tricking a user into entering their password once. The effective security profile is the same...
Victory requires no explanation. Defeat allows none.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Linux Mythbusting

Tue Dec 13, 2016 11:41 am

Password might be marginally more secure, since it gives you an extra couple of seconds to ask yourself, "Wait... why is it asking me to elevate to do this?" before you hit the Enter key.
Nostalgia isn't what it used to be.
 
Waco
Maximum Gerbil
Posts: 4850
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Linux Mythbusting

Tue Dec 13, 2016 11:45 am

I guess so. In the end, I see many more *nix (Mac and Linux mostily) users blindly entering passwords because they trust that the system is safe. It only takes one bad entry to own the machine.
Victory requires no explanation. Defeat allows none.
 
Glorious
Gerbilus Supremus
Posts: 12343
Joined: Tue Aug 27, 2002 6:35 pm

Re: Linux Mythbusting

Tue Dec 13, 2016 11:52 am

Waco wrote:
Those all require the user to accept the prompt at least one time. I see no difference between that and tricking a user into entering their password once. The effective security profile is the same.


Ah, beat me to it.

"It rather involved being on the other side of this airtight hatchway" lol
 
Vhalidictes
Gerbil Jedi
Posts: 1835
Joined: Fri Jan 07, 2005 2:32 pm
Location: Paragon City, RI

Re: Linux Mythbusting

Tue Dec 13, 2016 12:21 pm

whm1974 wrote:
All of this is making me wonder what other Linux myths needs to be busted?

The myth that Linux has myths.
 
whm1974
Emperor Gerbilius I
Topic Author
Posts: 6361
Joined: Fri Dec 05, 2014 5:29 am

Re: Linux Mythbusting

Tue Dec 13, 2016 12:52 pm

Waco wrote:
I guess so.  In the end, I see many more *nix (Mac and Linux mostily) users blindly entering passwords because they trust that the system is safe.  It only takes one bad entry to own the machine.

That said, I'm not going to type in my password when all of the sudden my system asks me for my password out of the blue. That would be a very big red flag.
 
Waco
Maximum Gerbil
Posts: 4850
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Linux Mythbusting

Tue Dec 13, 2016 1:02 pm

whm1974 wrote:
Waco wrote:
I guess so.  In the end, I see many more *nix (Mac and Linux mostily) users blindly entering passwords because they trust that the system is safe.  It only takes one bad entry to own the machine.

That said, I'm not going to type in my password when all of the sudden my system asks me for my password out of the blue. That would be a very big red flag.

Neither would I, but we (TR readers) aren't generally the type to fall for something like that. There are many that would, though, even after being trained.
Victory requires no explanation. Defeat allows none.
 
whm1974
Emperor Gerbilius I
Topic Author
Posts: 6361
Joined: Fri Dec 05, 2014 5:29 am

Re: Linux Mythbusting

Tue Dec 13, 2016 2:07 pm

Waco wrote:
whm1974 wrote:
Waco wrote:
I guess so.  In the end, I see many more *nix (Mac and Linux mostily) users blindly entering passwords because they trust that the system is safe.  It only takes one bad entry to own the machine.

That said, I'm not going to type in my password when all of the sudden my system asks me for my password out of the blue. That would be a very big red flag.

Neither would I, but we (TR readers) aren't generally the type to fall for something like that.  There are many that would, though, even after being trained.

I guess this something I need to be mindful of when introducing Linux to new users.
 
Waco
Maximum Gerbil
Posts: 4850
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Linux Mythbusting

Tue Dec 13, 2016 2:17 pm

I wish the UAC prompt had the option of requiring a password. That would be a real improvement as well.
Victory requires no explanation. Defeat allows none.
 
whm1974
Emperor Gerbilius I
Topic Author
Posts: 6361
Joined: Fri Dec 05, 2014 5:29 am

Re: Linux Mythbusting

Tue Dec 13, 2016 2:24 pm

Waco wrote:
I wish the UAC prompt had the option of requiring a password.  That would be a real improvement as well.

I hope that would make users think twice as that is a red flag if said users are not doing anything that should require a password in the first place.
 
MileageMayVary
Gerbil XP
Posts: 370
Joined: Thu Dec 10, 2015 9:18 am
Location: Baltimore

Re: Linux Mythbusting

Tue Dec 13, 2016 2:26 pm

Waco wrote:
I wish the UAC prompt had the option of requiring a password.  That would be a real improvement as well.

It does if you take away admin rights from the account you're logged in on.
I have a box with two accounts, one with one without. Always log on with the one without. UAC prompts jump in with the other account name and ask for the password.
Main rig: Ryzen 3600X, R9 290@1100MHz, 16GB@2933MHz, 1080-1440-1080 Ultrasharps.
 
Waco
Maximum Gerbil
Posts: 4850
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Linux Mythbusting

Tue Dec 13, 2016 2:40 pm

MileageMayVary wrote:
Waco wrote:
I wish the UAC prompt had the option of requiring a password.  That would be a real improvement as well.

It does if you take away admin rights from the account you're logged in on.
I have a box with two accounts, one with one without. Always log on with the one without. UAC prompts jump in with the other account name and ask for the password.

Right, but I have no chance of converting every user's account into a non-admin account. :P The default should be an account that lacks admin rights.

Since we can't have that, I wish they'd update it to at least ask for a password for the action.

EDIT: I feel like I'm being a bit two-faced here saying *nix is the equivalent to UAC. The password sets it apart for people paying attention. I'm not sure it helps much for those who don't.
Victory requires no explanation. Defeat allows none.
 
curtisb
Gerbil XP
Posts: 452
Joined: Tue Mar 30, 2010 11:27 pm
Location: Oklahoma

Re: Linux Mythbusting

Tue Dec 13, 2016 3:00 pm

Waco wrote:
MileageMayVary wrote:
Waco wrote:
I wish the UAC prompt had the option of requiring a password.  That would be a real improvement as well.

It does if you take away admin rights from the account you're logged in on.
I have a box with two accounts, one with one without. Always log on with the one without. UAC prompts jump in with the other account name and ask for the password.

Right, but I have no chance of converting every user's account into a non-admin account. :P The default should be an account that lacks admin rights.


If you're in a domain you absolutely do have that chance...and should. This is exactly what the Restricted Groups policy is for. On non-domain machines it's easy. Just remove any accounts from the Administrators group that shouldn't be admins. If they aren't in the group they can't add themselves to it. The only account that you don't have the option of specifying whether or not it's an admin at creation time is the first account you setup after Windows is installed. Any local accounts created after that can be created as a regular non-privileged user at the time of creation.
ASUS MAXIMUS VIII HERO | Intel Core i7-6700 | Zotac GTX 1080 8GB Mini | 2 x Corsair LPX 8GB | WD SN750 Black 500GB | 2 x Crucial MX200 500GB | 2 x WD RED Pro 4TB | Phanteks Eclipse | Seasonic X-850 | 2 x Samsung U28E590
 
MileageMayVary
Gerbil XP
Posts: 370
Joined: Thu Dec 10, 2015 9:18 am
Location: Baltimore

Re: Linux Mythbusting

Tue Dec 13, 2016 3:14 pm

Sorry, I was supposed to be lurking not derailing. 
Main rig: Ryzen 3600X, R9 290@1100MHz, 16GB@2933MHz, 1080-1440-1080 Ultrasharps.
 
whm1974
Emperor Gerbilius I
Topic Author
Posts: 6361
Joined: Fri Dec 05, 2014 5:29 am

Re: Linux Mythbusting

Tue Dec 13, 2016 3:28 pm

One myth I keep running into is Linux is hard to learn or use by non-geeks. My dad and stepmother use Linux just fine as did a few friends I introduce it to who pick it up real quick. Of course I had install and do some configuring, but I would have to do that for Windows anyway.
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Linux Mythbusting

Tue Dec 13, 2016 3:59 pm

Waco wrote:
I wish the UAC prompt had the option of requiring a password.  That would be a real improvement as well.


As has been noted, it does through standard users accounts or through GPO.

Computer Config > Windows Settings > Security Settings > Local Policies > Security Options

Scroll down to the bottom where all the UAC settings are.

User Account Control: Behavior of the elevation prompt for Administrators in Admin Approval Mode

This should be possible to implement in a home version of Windows via the registry.  It'd take some digging to figure that out.

Link
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
Waco
Maximum Gerbil
Posts: 4850
Joined: Tue Jan 20, 2009 4:14 pm
Location: Los Alamos, NM

Re: Linux Mythbusting

Tue Dec 13, 2016 4:33 pm

curtisb wrote:
Waco wrote:
MileageMayVary wrote:
It does if you take away admin rights from the account you're logged in on.
I have a box with two accounts, one with one without. Always log on with the one without. UAC prompts jump in with the other account name and ask for the password.

Right, but I have no chance of converting every user's account into a non-admin account. :P The default should be an account that lacks admin rights.


If you're in a domain you absolutely do have that chance...and should. This is exactly what the Restricted Groups policy is for. On non-domain machines it's easy. Just remove any accounts from the Administrators group that shouldn't be admins. If they aren't in the group they can't add themselves to it. The only account that you don't have the option of specifying whether or not it's an admin at creation time is the first account you setup after Windows is installed. Any local accounts created after that can be created as a regular non-privileged user at the time of creation.

I was speaking in general. I don't admin any Windows machines at all aside from my own at home. When I speak of users, I'm talking general population.
Victory requires no explanation. Defeat allows none.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Linux Mythbusting

Tue Dec 13, 2016 5:09 pm

whm1974 wrote:
One myth I keep running into is Linux is hard to learn or use by non-geeks. My dad and stepmother use Linux just fine as did a few friends I introduce it to who pick it up real quick. Of course I had install and do some configuring, but I would have to do that for Windows anyway.

Well, you've got the Linux evangelists promoting the myth that "there's a free equivalent for practically every Windows application", so I figure we can call that one even. You need to have a pretty flexible definition of "equivalent" to be OK with that one...
Nostalgia isn't what it used to be.
 
Chuckaluphagus
Gerbil Elite
Posts: 906
Joined: Fri Aug 25, 2006 4:29 pm
Location: Boston area, MA

Re: Linux Mythbusting

Tue Dec 13, 2016 5:30 pm

just brew it! wrote:
whm1974 wrote:
One myth I keep running into is Linux is hard to learn or use by non-geeks. My dad and stepmother use Linux just fine as did a few friends I introduce it to who pick it up real quick. Of course I had install and do some configuring, but I would have to do that for Windows anyway.

Well, you've got the Linux evangelists promoting the myth that "there's a free equivalent for practically every Windows application", so I figure we can call that one even. You need to have a pretty flexible definition of "equivalent" to be OK with that one...

There is a type of person is certain that world really does work like that: "GIMP looks like Photoshop, so therefore they're equivalent. I don't actually have any experience with image editing or processing, but how is that relevant? No, I have no idea what CMYK is, so it must not matter." *

In my experience, these people seem to find ways to insert themselves as roadblocks into the procurement process, with an astonishing amount of self-confidence and -righteousness. I once had a functionary tell me that I was not allowed to have image editing software (of any stripe) anymore for my job, because the default user image included Acrobat Reader. He was determined to not understand why that wasn't acceptable.

* I say this as someone who uses GIMP professionally, by the way.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Linux Mythbusting

Tue Dec 13, 2016 5:38 pm

Chuckaluphagus wrote:
...

* I say this as someone who uses GIMP professionally, by the way.

And I say what I said in my previous post as someone who uses Linux extensively, both personally and professionally, every single day!
Nostalgia isn't what it used to be.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On