[conspire] Re: a distribution 4 incompetents

Rick Moen rick at linuxmafia.com
Wed Jan 12 13:23:11 PST 2005 

Hi, Bruce.  I'm answering your query here rather than on
svlug at lists.svlug.org for sundry reasons.  Because you posted it
elsewhere, here's your entire post:

----- Forwarded message from Bruce Coston <jane_ikari at yahoo.com> -----

I just put the new ProMEPIS 2005 beta 03 on a friend's box. I believe
the firewall is on by default.  I got him to not run the default Apache
server.  He eventually remembered the root password, so I didn't have to
reinstall again and again like, as when I got Kanotix working for him.
The firewall bit is important, since he ditched all the anti-malware
programs from his Windows OS, since one of them seemed to prevent him
from browsing the Internet, probably because his older Windows box has
an XP-type infection that does nothing to him -- so his malware cleaners
don't fix it, but probably Zone [Alarm] firewall detected it and
prevented him from spreading it by blocking his Net access with 0
explanations.  I asked him to install the different anti-malware stuff I
recently switched to, for that reason. 

The question is:  Does a distribution exist that works better for a guy
like this, given that he won't spend $$? 

Since this guy is actually posessed of average intelligence, is there
any way to avoid the >50% malware/spam/pollution content of Internet
traffic, other than forced patching at the ISP level? My  finite
understanding of game theory says that without this draconian
enforcement of social policy, kind of like what makes Debian work as
well as it does, chaos is guaranteed given the relevant costs for
misbehavior:  Therefore I must wonder why we don't have legislation
enforcing this.  Is it companies that wanna get rich selling anti-malware
and don't care about the consequences?  Honestly, at 50%, we need to
declare the emergency and act accordingly.

Average people seem TERRIFYINGLY stupid about Net security; they won't
spend the money or even just get a free download when they need to!

----- End forwarded message -----


Some of your concerns are "How do I make MS-Windows systems better?"
questions, which are interesting and worthwhile, but I'm not going to 
address them here.  You may find this page of some tangential interest:
http://twiki.iwethey.org/twiki/bin/view/Main/WindowsRescueDisk

> He eventually remembered the root password, so I didn't have to
> reinstall again and again like, as when I got Kanotix working for him.

You should never have to reinstall merely because you don't know the
root password.  Intending no criticism of you in saying this (I know the
temptation to blow everything away when faced with a frustrating
situation), it's a standard question, and there are standard, quick,
remedies.  You actually don't have to remember how to do it, either:
Just google for:

   "lost root password" linux

Suffice it to say:  You can _always_ break in, with a couple of minutes'
work, given physical access to the box and its console.[1]

> The firewall bit is important....

A "firewall" (IP-filtering script) isn't a magic talisman.  It's useful
to study what it does and doesn't do, and consider threat models.  IP
filtering has no relevant effect within many system-security threat
models.

> The question is:  Does a distribution exist that works better for a
> guy like this, given that he won't spend $$?

I'm a little unclear what scenario you're proposing.  You could mean a
Linux box that mediates his access to the Internet from (e.g.) Windows
XP boxen on his inside (house) LAN.  Or you could mean a Linux
distribution suitable for such a person _instead_ of Windows XP, that
would run on a box exposed to an Internet connection.

That said:

Basic fact #1:  A sufficiently reckless person can always find ways to
shoot himself in the foot.  (See mottos about "foolproof" systems.)  So,
one is possibly seeking fool-tolerant systems, and/or systems
recoverable from fool-inflicted damage with minimal pain.

Thus, for example, attacks that are 90%+ "social engineering" are always
of some concern, e.g., a net.random sends anonymous e-mail to said fool
advising him to do something mind-bogglingly stupid, and the fool
complies.  For one example, please see my comments on the October 2004
"phishing attack" on gullible Red Hat users:

http://www.oreillynet.com/cs/user/view/cs_msg/46829
http://www.oreillynet.com/cs/user/view/cs_msg/46832

Defensively engineered *ix systems try to make the cautious way the easy
way, and the easy way the cautious way.  RH/Fedora users since RH7.0
(Sept.  2000) have attempted to drum into the heads of user/admins that
their updates come through RHN:  Any fools who went for the "phishing"
attack (or a hypothetically more-competent attempt along the same lines)
would have had to have been willing to _go outside the maintenance
regime_, become root, and install software from a dubious source.

Ultimately, no amount of careful system design can prevent such
user-driven screwups entirely; they can only give people cues that
they're fighting/circumventing the system's design, and hope user
intertia (if not a sense that he's being talked into doing something
peculiar and dangerous) will lead the candidate victim to avoid doing
the wrong thing.


Your key question appears to be:

> Is there any way to avoid the >50% malware/spam/pollution content of
> Internet traffic?

Do you mean _avoiding_ the traffic, or not being hurt by it?

It should be obvious that the only way to not encounter that traffic at
all, at one's local site, is to eliminate it upstream.  Doing that is a 
bit beyond the scope of this discussion, but many people attempt it
using proxies interposed between the machines to be protected and likely
sources of harm.  E.g., put a carefully set up, dual-homed Linux/BSD box
between one's network and the Internet, use it to process all mail in or
out, and mediate other transaction through a transparent Squid proxy
with custom filters.  (Expect to spend some time writing regular
expressions, and know that only some threat models will be addressed.)

Short of that, not _seeing_ the crap traffic on a local host level
generally means effective local filtering or rejection.  (For my
purposes, malware in e-mail is functionally indistinguishable from other
spam, so it's all basically a spam problem.)  My own antispam regimen is
to detect and reject almost entirely at the MTA (SMTP server) level.
Views differ.<tm>

As to not being hurt by Linux/BSD exploits, worms, trojan horses:  

1.  Use a currently maintained distribution that seems to have 
    sane security policies.
2.  Apply needed updates without delay.  ("Needed" is a term of art,
    here, and a whole separate discussion.  What is needed in 
    particular is situation-dependent.)   If the process isn't 
    painless and semi-automated, you're on the wrong distribution.
3.  Subscribe to and skim-read the distro's security-alerts mailing
    list to make sure.
4.  Backups.  Tested.  And known-good reinstallation media, in case
    needed.  ("Known-good" is likewise a term of art.  You do check
    md5sums on ISOs, right?  But do you also make very sure that the
    md5sum files are crypto-signed using a signature you have reason
    to trust?  Or that you got the file from someone who checks?  
    No?  Then, fix that.)

Other standard advice about managing system configuration and ensuring 
ones means of recovery also apply.  (Am I saying that "incompetents"
-- your term -- will tend to do all or even most of those things?  No,
I'm not.  In particular, few users even try to do meaningful backup, and
most don't even have a clear notion of where their data files are.  This
is a serious long-term problem.)

Your friend might be happy with a Linux live CD distribution.  Maybe
Ubuntu Linux, maybe one of the numerous others.  One of the benefits is
the write-protected media, and security consequences thereof.

I remember an amusing example of a homebuilt Linux host the size of a
matchbox that a guy at Stanford put on the Internet, running a tiny Web
server and telnet daemon, which was then covered on Slashdot.  I have a
mirror of the site, here:

http://linuxmafia.com/wearables/

Creator Vaughan Pratt deliberately left the root password set to null,
and allowed telnet login of the root user, just for entertainment value:
http://linuxmafia.com/wearables/log.txt

About every hour or so, Pratt would power-toggle the host, kicking out
the intruders boasting about having "broken in".


[1] Pedants will cite measures that can be enacted to erect obstacles,
such as omitting removable media from the boot order, and
password-protecting the BIOS and bootloader.  "BIOS Passwords" on
http://linuxmafia.com/kb/Hardware/ lists the built-in service passwords
for commodity ROM BIOSes; that plus an LNX-BBC, a Tom's Root-Boot
floppy, or putting the hard drive in a second box will defeat all
obstacles except an encrypted root filesystem, which you're staggeringly
unlikely to encounter.

-- 
Cheers,                                      Hardware:  The part you kick.
Rick Moen                                    Software:  The part you boot.
rick at linuxmafia.com

More information about the conspire mailing list