My security questions about opensuse(linux)

Some weeks ago i decided to install openSuse(i have tried ubuntu before, and i am not so new to linux, i even remember the old slackware distro from many years ago, hehe). I never used linux so much like that year and last one, i have admit, the progress is easy noticeably. It took me 2-3 weeks to setup everything as i want and i really love it now. I am running KDE 4.1.

Anyway, in that moment i am using Vista/openSuse, and i really dont like Vista and Microsoft politics about software, and i am on the final step to remove it from my pc(home pcs/work), and switch to linux(suse). However, before i will do that i have some final questions, questions about security. I really need some serious answers, please, no flames.

Ok, my questions are:

  1. Open source is a beautiful concept. Does anyone from Open SuSe team, verify the source packages before make them available for download? Yes, i am referring at end user security and privacy. Are those packages 100% secure? I am not talking about possible bugs, i am talking about my privacy. What about viruses especially trojans?

  2. How far i should trust open source? I’ve seen so many packages made by individuals, how far shall i trust them? Yes, at least, IF something goes wrong with Vista you can always call Microsoft. Where is the warranty here?

  3. How come i fell much secure in Vista with Commodo Firewall/ Avast antiv? Yes, even the network connexion leds from tray bar blinking or not show me a level of security.( Sadly those leds are missing in kde ). What i should worry more? I dont run any servers, but i stil feel insecure with all applications running and no possible way to check them visually like i do in firewall… not talking about no warnings from anything when a program access the internet out/in. Do i have to install anything special?

  4. Yes, i know theoretically a secure computer is a computer unplugged from internet. How can i be sure i am runing a secure linux environment?

All advices are welcome and apreciated, thanks for reading.

Read line by line? Unlikely but the code is often audited vs changes - quite effective deterrent.

You’re using a computer connected to a network and running on hardware you don’t know anything about, there may be backdoors or flaws in the software / hardware on any platform - your internet could be tapped as we speak, the evil boogie man may be hiding under your bed too.

There is an insignificant amount of them and many of them don’t even work on all distributions - they’re not an issue, rootkits are.

If you download a program from the net for Windows which contains a backdoor/trojan/virus/other malicious software, you call Microsoft to complain about it - they’ll tell you “it’s not our problem” and tell you to contact the manufacturer of the program - in this case Mr. X.

If you have any delusions about having “a warranty” on the Windows - or any other platform, let it be Linux or Mac - don’t. Microsoft is not responsible (and doesn’t want to be) for software that you install from 3rd parties.

You should trust software to a logical extent - there are never any guarantees, for any platform. Download / install software from trusted locations - such as opensuse.org or Packman.

Because you’re overly paranoid and require blinking lights to make you think you’re in control.

Those can be altered on Windows - you can transmit information without showing any network activity for the user or you can cloak your activity inside other packets.

The street are full of criminals, aren’t they.

Ok, my questions are:

  1. Open source is a beautiful concept. Does anyone from Open SuSe team, verify the source packages before make them available for download? Yes, i am referring at end user security and privacy. Are those packages 100% secure? I am not talking about possible bugs, i am talking about my privacy. What about viruses especially trojans?

Yes, they verify them. If you use openSUSE’s package manager, it will check a generated sting of letters and numbers (called a checksum) against the one provided by openSUSE. If any of the code has been changed, the checksums will not agree, and the package manager (Yast) will not install it. In this manner, every package is securely signed by openSUSE, and verified to have come from them.

Compare this to the method provided by your safe, secure, and snuggly Windows package manager–oops, sorry, they don’t have one. Score one for open source.

  1. How far i should trust open source? I’ve seen so many packages made by individuals, how far shall i trust them? Yes, at least, IF something goes wrong with Vista you can always call Microsoft. Where is the warranty here?

As mentioned, MS won’t do crap for you unless it is a MS program, and the vast majority of the programs on a MS box aren’t from them. Even if it is, there is a 90% chance they will tell you to a) call the hardware vendor (HP, Dell, whoever) or b) reformat and re-install. You don’t have to worry about that with openSUSE, because it ships things like office suites, chat clients, etc. that are again, cryptographically signed. Score another for open source.

  1. How come i fell much secure in Vista with Commodo Firewall/ Avast antiv? Yes, even the network connexion leds from tray bar blinking or not show me a level of security.( Sadly those leds are missing in kde ). What i should worry more? I dont run any servers, but i stil feel insecure with all applications running and no possible way to check them visually like i do in firewall… not talking about no warnings from anything when a program access the internet out/in. Do i have to install anything special?

Chrysantine said it best, so I won’t re-hash. You do realize, however, that once your Windows box is owned, the trojan can easily replicate/disable/whatever those little icons in the system tray, and do something different behind your back, right? That’s why it is called a TROJAN.

  1. Yes, i know theoretically a secure computer is a computer unplugged from internet. How can i be sure i am runing a secure linux environment?

You can never be completely secure, but here are a few reasons:

  1. That little firewall you mention in Windows? It is there in Linux, and it has been since the beginning (as opposed to Windows, who just got it with what; XP SP2?). It’s built right into the kernel.

  2. Viruses are rarely written for Linux, since they will only trash your home directory (unless you are running as root). Also, files are not automatically executable in Linux–you have to give them permission to do so after you d/l them. Score another for open source. What is that now, 3-0?

  3. Code is more secure, on average, for many reasons that I will not elaborate on. There is a ton of info on the net about this if you search a little.

All advices are welcome and apreciated, thanks for reading.

Seriously, I thought you were a troll, but I tried to be civil and informative since you have 30 something posts. You might actually be serious.

On Fri, 2008-08-01 at 11:46 +0000, lasterror wrote:

> Ok, my questions are:
>
> 1. Open source is a beautiful concept. Does anyone from Open SuSe team,
> verify the source packages before make them available for download? Yes,
> i am referring at end user security and privacy. Are those packages 100%
> secure? I am not talking about possible bugs, i am talking about my
> privacy. What about viruses especially trojans?

openSUSE team? Well… there are is a community of folks working on
openSUSE and a greater community that provides most all of the software
that goes into the openSUSE distribution.

But no… there isn’t a dedicated QA/security team really. But there
is a motivation to not deliver products that do not work… obviously.

> 2. How far i should trust open source? I’ve seen so many packages made
> by individuals, how far shall i trust them? Yes, at least, IF something
> goes wrong with Vista you can always call Microsoft. Where is the
> warranty here?

Bugs in proprietary non-open sourced products are handled by stealth.
That is, the problem isn’t a problem (as far as your are concerned)
unless it gets exposed publicly. So how to you define “trust”? In
the proprietary world trust is defined as implicit trust in whatever
a corporation “says”… and not necessarily the truth.

However, if you definition of trust happens to have a dependency on
some essence of truthfulness or honesty (honor) then you may find
open source to be a refreshing change.

>
> 3. How come i fell much secure in Vista with Commodo Firewall/ Avast
> antiv? Yes, even the network connexion leds from tray bar blinking or
> not show me a level of security.( Sadly those leds are missing in kde
> ). What i should worry more? I dont run any servers, but i stil feel
> insecure with all applications running and no possible way to check
> them visually like i do in firewall… not talking about no warnings
> from anything when a program access the internet out/in. Do i have to
> install anything special?

You trust a set of blinking lights for which you have NO idea where
the source of the “blink” or “color” comes from?

In the case of FOSS, you might not get “blinking” lights, instead you
may get detailed logs which attempt to show you as much information
as possible so you can safely determine what is real or not real.
A blnking/colored light is a subjective judgment.

>
> 4. Yes, i know theoretically a secure computer is a computer unplugged
> from internet. How can i be sure i am runing a secure linux
> environment?

Hey… at least you understand that. And that’s something that most
people DO NOT understand. Oh… and that’s NOT a merely a theory…

You can be just as sure with FOSS products on Linux as you can with
proprietary closed source except with the difference that nothing
is terribly hidden in FOSS products (it can be… but at least those
things can be changed).

A proprietary product is free to LIE to you… and in fact it’s
intentional… remember a bug is a bug only if you find out about
it… otherwise, it doesn’t exist as far as your are concerned. FOSS
takes the stand that you WANT to find and expose ALL bugs. The only
way that things are improved upon is if bugs are found and dealt
with. Bug reports are GOOD thing… not a bad thing.

With proprietary software bugs are a liability, possibly with large
penalties associated with it… again, which is why it is important
that you NOT know about them for as long as possible even when
they are exposed somehow (for them, hopefully internally exposed).

>
> All advices are welcome and apreciated, thanks for reading.
>
>

Each person has to make a choice. There are always risks no matter
what piece of software you choose… be it FOSS or closed/proprietary.

However, the argument that closed/proprietary is better, more secure
or of higher quality is simply propaganda.

About point 1. if i understand correctly, the packages come from build service with out any checking, right? (Yeah, i am referring strict at opensuse repo)

No.

Well, to my understanding, one has to apply to get some space on the build service. I do not know what checking might go on for these people.

What I was referring to were the repositories that come straight from the project, and not the “extra” people. Repos such as the “update” repo, or the KDE or GNOME ones. Those are completely safe. Also, they are signed, as I mentioned, so you know exactly who wrote them. That, coupled with the fact that they are open source, means that if someone actually had the cojones to write a virus, and the wherewithall to get it into the build service, would still be discovered pretty quickly.

That is probably the main point that you are missing. If you install software in the proprietary world, you don’t get to see that code (and nobody else does, either). Thus, it is relatively easy for a programmer to write some backdoor or shady code. It doesn’t happen in Linux, because the source is required.

cjcox wrote:
> On Fri, 2008-08-01 at 11:46 +0000, lasterror wrote:
>
>[Snip]
>
>> 2. How far i should trust open source? I’ve seen so many packages made
>> by individuals, how far shall i trust them? Yes, at least, IF something
>> goes wrong with Vista you can always call Microsoft. Where is the
>> warranty here?
>
> Bugs in proprietary non-open sourced products are handled by stealth.
> That is, the problem isn’t a problem (as far as your are concerned)
> unless it gets exposed publicly. So how to you define “trust”? In
> the proprietary world trust is defined as implicit trust in whatever
> a corporation “says”… and not necessarily the truth.
>
> However, if you definition of trust happens to have a dependency on
> some essence of truthfulness or honesty (honor) then you may find
> open source to be a refreshing change.
>
>
Though that isn’t always the case, sometimes closed source apps can be
trusted too.
>> 3. How come i fell much secure in Vista with Commodo Firewall/ Avast
>> antiv? Yes, even the network connexion leds from tray bar blinking or
>> not show me a level of security.( Sadly those leds are missing in kde
>> ). What i should worry more? I dont run any servers, but i stil feel
>> insecure with all applications running and no possible way to check
>> them visually like i do in firewall… not talking about no warnings
>> from anything when a program access the internet out/in. Do i have to
>> install anything special?
>
> You trust a set of blinking lights for which you have NO idea where
> the source of the “blink” or “color” comes from?
>
> In the case of FOSS, you might not get “blinking” lights, instead you
> may get detailed logs which attempt to show you as much information
> as possible so you can safely determine what is real or not real.
> A blnking/colored light is a subjective judgment.
>
A lot of those “non-FOSS” firewalls have logs too that you can check. It
isn’t like it just blinks to give you a false sense of security, you get
logs to read to make sure.
>> 4. Yes, i know theoretically a secure computer is a computer unplugged
>> from internet. How can i be sure i am runing a secure linux
>> environment?
>
> Hey… at least you understand that. And that’s something that most
> people DO NOT understand. Oh… and that’s NOT a merely a theory…
>
No it is a theory. As long as there is physical access to a computer
there is a possibility of intrusion.
> You can be just as sure with FOSS products on Linux as you can with
> proprietary closed source except with the difference that nothing
> is terribly hidden in FOSS products (it can be… but at least those
> things can be changed).
>
As long as you can code. Otherwise, you are in the same boat as the
closed source camp.
> A proprietary product is free to LIE to you… and in fact it’s
> intentional… remember a bug is a bug only if you find out about
> it… otherwise, it doesn’t exist as far as your are concerned. FOSS
> takes the stand that you WANT to find and expose ALL bugs. The only
> way that things are improved upon is if bugs are found and dealt
> with. Bug reports are GOOD thing… not a bad thing.
>
> With proprietary software bugs are a liability, possibly with large
> penalties associated with it… again, which is why it is important
> that you NOT know about them for as long as possible even when
> they are exposed somehow (for them, hopefully internally exposed).
>
>
I disagree with the thought that proprietary apps intentionally lie to
people. That is just a load of FUD. There are just too many reasons why
people used proprietary licensing models and it is FUD to believe the
main reason is to lie to uses so that their bugs aren’t found.
>> All advices are welcome and apreciated, thanks for reading.
>>
>>
>
> Each person has to make a choice. There are always risks no matter
> what piece of software you choose… be it FOSS or closed/proprietary.
>
> However, the argument that closed/proprietary is better, more secure
> or of higher quality is simply propaganda.
>
>
And vice-versa. The only argument that is truthful is no matter what OS
you use, if you are vigilant on securing it then you will have less to
worry about. A Windows machine can be just as secure as a Linux one just
like a Linux box can be as insecure as its Windows counterpart. Anything
else is just a delusion.

Only running all the software apps you describe in windows thrashes your system.

A well configured hardware firewall is much more effective than some 3rd party software.

Most of us in Linux world don’t use anti-virus. (rkhunter maybe)

I have not once had an issue using Linux. I cannot say the same for M$.

Plus, if you are really really paranoid you can always find the source and compile it yourself after reading and contemplating it in its entirety. Though this would be silly due to the many checks as described by the previous posts.

Actually, that’s not true any more. The OBS has been opened up to all community members. If you have an openSUSE login (which, of course, anyone posting on this forum does), then you can create a personal repo on the OBS.

The member repos always show up under /home:, so that’s a potential indicator that a repo is not officially openSUSE. Of course, some devs use /home: repos for testing builds or doing things outside of core openSUSE work, so it’s not a hard-fast indicator.

Just something to consider, especially with the OBS search service. Newer or less-experienced users should avoid installing anything from /home: repos unless they have received some sort of validation that it is ok to do so (ie. endorsements from senior members of this forum, or from the openSUSE devs on their blogs or the ML, etc.). You don’t know what you’re getting, otherwise. And that’s not to say it’s necessarily malicious or evil, but some of the stuff you’ll find in /home: is developmental or experimental, and can bork a system in a flash.

Only mentioning that point because the OBS search service includes /home: when searching for packages, without proper context. I’ve always though that was a bit of a flaw, and should at least be a selectable option.

Don’t want to make it sound like doom-and-gloom, I’ve actually downloaded many brilliant things that I’ve found from users in the /home: repos in the past; updated drivers, newer applications, patched libs etc. I just do so with eyes wide open.

But as far as the rest of the openSUSE repos, they’re about as safe as can be reasonably expected for a community-based distro, maybe even more so since this particular commmunity-based distro forms the basis for a commercial enterprise-based distro.

I wouldn’t want to mislead people and imply that every line of code in the OBS is inspected, because that simply isn’t true, for openSUSE or any other distro. But I agree that certainly the code is trustworthy.

Hope this all makes sense and I haven’t confused things…

Cheers,
KV

Ok, so as far as i understand until now, new questions comes in my mind.

Apparently, there is no special service from Novel to check even “official” openSuse repo.

Peoples please stop telling me that i am trolling here, is just a question if those packages before be available for download are checked, dont go blind with the idea that everything on is secure, even you are on linux. I didnt tell that windows is more secure also, probable windows have much more security problems that linux, considering the file system rights and how the system is working. Installing legit software avoid you usually to have some problems. Thats why i am asking about the openSuse repo, and update repo.

On the other hand, you peoples talk about kernel firewall. Kernel firewall is not an application firewall, is a port filtering with powerfull rulles. Port filtering dont make your system more secure. As long as you have a “problem” application in memory who can open a single port or send data on a single port there is a possible security problem. From end user view, not everybody know to make iptables rules, for a beginer is really hard to understand how iptables is working. My question was exactly about application “firewall”, giving right or declining what application can use the internet is really useful in my opinion. Is not about paranoia here, even for a crash report, IF i dont want any data to be send to vendor, I MUST have a posibility to stop that, because, everything about my computer is part of my privacy. Thats just a banal example, i am not talking about even more destructive programs. So, any application who can send data or receive can break your privacy, is just a principle. Yes, dont really matter what you are doing with computer, privacy is privacy, and is respected by law, or should be:) Now, the real question, is there any application who implement the soft apps firewall (even you have a hardware firewall) ?

Agreed on OBS, if anyone can create and account and put sources for build, there is no warranty at all here.

You probably want something like NuFW - An authenticating Firewall then.

But how will you know when an app is doing normal activity and when it’s sending info you would prefer it not to? Firewalls are not clairvoyant, they don’t know which bits of data are your private data and which bits you don’t mind being sent. Is your IP private data? IP addresses can be matched to geographic localities. Is your name private data? If you have given your suburb, they can probably narrow down to your home address from public electoral rolls. What about your browsing habits? Google has a trail of all the searches done by you, if you can be linked to the IP address used.

So these concerns are real and valid, but they go deeper than superficial questions about which platform or firewall you are running.

Because you are.

Everything you’ve asked so far is clearly evident to anyone who doesn’t have an agenda (or isn’t braindead) or can be googled up in 30 seconds.

I don’t honestly know what makes you people tick. Do you get off from annoying other people on purpose?

Man, I have to agree with Chrysatine:

What the heck!
I think you should stick with Windows
I said it once: now again
HARDWARE- FIREWALL

Now that wasn’t nice. Personally, I would rather ask people that know, like you, than trust what I find by Googling for it. 'tis one of the reasons we have a community here…so people can come and learn. Please don’t try to offend other community members. If, indeed, this person is a troll, it would be nice to show them what a nice, helpful community we are.

Maybe it wasn’t nice, but it was true. There was nothing wrong with the OP’s first post, but things have been explained to him/her during the thread, and he/she is still asking the same questions. It is also evident that OP doesn’t understand what a “firewall” is. A firewall is a piece of software that filters by port and interface. It, in and of itself, is not meant to be an application security program–it is meant to handle and direct network traffic. Restricting applications in certain firewalls that run on Windows is an extra thing they throw in, particularly because of the number of shady programs that try to phone home w/o asking the user, or for some inept trojans.

To the OP: we have answered all of your questions, specifically the ones pertaining to checking the software from the openSUSE official repos. Many apps need to be able to send traffic out, and won’t function properly w/o the ability. If you want to restrict what apps can reach the outside world, I would guess that you could use AppArmor to do that. I say guess, because I have not used it to do so, but the whole purpose of AppArmor is to restrict the abilities of apps on your system, so I would say it should be possible.

Good info–thanks! I thought there was something that people needed to do, but I guess that was at the very beginning, or maybe I was just wrong. Either way, it’s good to know in case I decide to start a new project or something, I can use it!

Interesting Link. I had not read of that Linux project before.

I note the last SuSE rpm for it was built by user-scorot for SuSE-9.3, which was no old version of nufw:
ftp://ftp.gwdg.de/pub/linux/misc/suser-scorot/suse93/RPMS/i586/
I spent about 15 minutes trying to compile the latest version, and gave up. I ran into problems with lnfnetlinks and libnetfilter_queue, where the webpin packages were inadequate (not recognized). So its not an easy package to custom compile.

But it appears Gentoo, mandriva and debian have this firewall packaged for ready use.

Despite my finding this level of tracking rather neat, I agree with your follow-up comment.

I also think such a firewall is needless bloat and overkill, and if one can’t trust an openSource application to access the web properly, why would give more credence to an openSource firewall?

There can be paranoia on top of paranoia, on top of paranoia, with no end to it.

A fundamental concept, that I think lasterror is missing is the openSource concept of responsibility that comes with free software (per the free software foundation definition) and with openSource software. When users develop opensource free software, they don’t do so under some false name. They do so under their own.

Their reputation, the view that other’s hold of them, are accountable to the open source free software community. If one were to deliberately try to hide code in an opensource project, to unethically access the web, they would be found out, and their name badly bandied all over the place.

They don’t’ have the veil of secrecy to hide that coders of proprietary software have. Coders of proprietary software do not provide their source (only binary) and proprietary software coders also have a corporation to hide behind to protect the name of the individual coders. Opensource software coders often do not have that. Or if opensource software is provided by a Corporation, then that corporation is accountable, and if users don’t like unethical code, there will be a software fork (since the software is free open source).

That is so basic and fundamental, I think lasterror needs to contemplate this some more. What does this difference fundamentally mean?

Now if one runs packages under wine (with no source code) or runs binaries under Linux (with no source code available) then one could indeed benefit from such a package. That is why many, and I dare so most, of us in Linux do not run binaries where the source code is not provided.

I think that basic concept needs to be understood.

No, you have understand me wrong. As much as linux will be widely adopted, the viruses/mallware/etc problems will target it also.

Secondly, i dont agree with you about devs of open source. Anyone can start a free project under a mailbox, and is open source, no need to provide real name and so on. How can you trust it? Did they give any real information to respond in front of the law some how? I doubt it.

On the other hand, installing only legit software and official repos from distros can save you from potential problems.

In that cases such an application firewall CAN help, theoretically. About firewall resouces, nobody cares today, we have 2xcore cpus, 4xcore cpus… and soon 8xcore cpus, with lots of gigs of ram… be ready for future. Security is much more important.

Time will prove if i am wrong or not.

Ok, thats to much, i was expected a friendly community here, where we can talk about everything.

That was my last post on those forums, I am out from here. Good luck with your “antitroll war”.