[conspire] (forw) Re: [svlug] a distribution 4 incompetents

Rick Moen rick at linuxmafia.com
Wed Jan 12 16:40:53 PST 2005

My friend Karsten had a reply to Bruce, on _other_ aspects of Bruce's
concerns, and I thought it'd be of interest here, too.

----- Forwarded message from "Karsten M. Self" <kmself at ix.netcom.com> -----

Date: Wed, 12 Jan 2005 15:43:06 -0800
From: "Karsten M. Self" <kmself at ix.netcom.com>
To: svlug at lists.svlug.org
Subject: Re: [svlug] a distribution 4 incompetents

I'm not sure if you're saying you've _found_ the distro for
incompetents, or are looking for same...

on Mon, Jan 10, 2005 at 11:46:41PM -0800, bruce coston (jane_ikari at yahoo.com) wrote:

> I just put the new pro-mepis 2005.04? beta on a friends box. 

Haven't tried it, but hear good things.

> I believe the firewall is on by default, i got him to not run the
> default apache server. He eventually remembered the root password so i
> didn't have to reinstall again and again like when i got Kanotix
> working for him. 

Root password recovery is _not_ something which requires a reinstall. 


...at boot prompt, remount root FS writeable, issue 'passwd' command,
sync, remount root FS read-only, and reboot.

For a more complete description specific to your bootloader, Google

> The firewall bit is important since he ditched all the anti-malware
> programs from his windows O.S. 

You're apparently suggesting that GNU/Linux would be served by the
legacy MS Windows anti-malware programs.  In general, not.

GNU/Linux isn't vulnerable to the vast majority of legacy MS Windows
exploits (some browser vulnerabilities excepted).  Viruses are
effectively Not A Problem[1].  There are utilities to check for rootkits
(not exploits themselves, but tools to leverage an existing exploit).

GNU/Linux security is largely a measure of:

  - Keeping software up-to-date.  All major distros offer tools to
    largely automate this process.

  - Minimizing network services.  Don't offer services you don't need.

  - Firewalling unneeded services.  Some argue this is unnecessary.  I
    consider it a belt-and-suspenders approach.  If you're not offering
    services, you should block all low-numbered ports (< 1024),
    particularly for non-local network segments.  The typical exceptions
    are SSH and possibly HTTP (ports 22 & 80).

  - Monitoring for unusual activity.  Tools such as chkrootkit, swatch,
    and snort can be used for this.

While commercial router/firewalls are of somewhat limited utility (and
require their own maintenance w/ firmware updates, etc.), your friend
might also benefit from same.  Cost is now low (< $100).

> since one of them seemed to prevent him from browsing the internet,
> probably because his older windows box has an xp type infection that
> does nothing to him so his malware cleaners don't fix it but probably
> zone firewall detected it and prevented him from spreading it by
> blocking his net access with 0 explanations. 

There's an essay I need to write on ease-of-use at some point....

> I asked him to install the different anit-malware stuff I recently
> switched to for that reason. 

Could you clarify why you're apparently trying to install legacy MS
Windows-based anti-malware on a GNU/Linux system?

> The question is does a distribution exist that works better for a guy
> like this given that he won't spend $$? 

The general buzz I've heard on Mepis is good.  Ubuntu is another
newbie-oriented distro[2] which seems to be both trivial to configure
and security concious.

There are security advantages to running a bootable distro (Mepis,
Knoppix, etc.) with only user state on the HD.  Upgrading is simply a
matter of burning a new disk.  However performance is markedly slower
than a native install.  I'd consider this a moderately severe solution.

> Since this guy is actually posessed of average intelligence, is there
> any way to avoid the >50% malware/spam/pollution content of internet
> traffic other than forced patching at the ISP level? 

See above.  GNU/Linux is largely immune to the problems plaguing legacy
MS Windows systems.

This *doesn't* mean you can't intentionally shoot yourself in the foot.
If your friend installs malware intentionally, he's hosed.  However
there are a number of reasons people typically don't do this.  I've
written an essay touching on this following a New York Times article I
was interviewed for:


If you _don't_ provide your friend root access, automate security
updates, and check the system yourself periodically (say,
weekly-monthly), he should do OK.

Additionally, few ISPs take any effective security countermeasures.
There's no margin in it.

> My finite understanding of game theory says that without this
> draconian enforcement of social policy, kind of like what makes debian
> work as well as it does, chaos is guaranteed given the relevant costs
> for misbehavior: 0: 

See the essay above.  The section titled "Some Cultural Observations" in
particular addresses *why* the situation in the legacy MS Windows world
is as bad as it is, and why it's very unlikely to improve.

It also addresses why the GNU/Linux model, and Debian specifically,
works so well.

> ...therefore I must wonder why we don't have legislation enforcing
> this. Is it companies that wanna get rich selling anti-malware and
> don't care about the consequences? Honestly, at 50% we need to declare
> the emergency and act accordingly.

Well, there _are_ laws, and the overwhelming evidence is that they don't
work.  IMVAO, cultural prerogatives trump legislation.
> Average people seem TERRIFYINGLY stupid about net security, they won't
> spend the money or even just get a free download when they need to!


My current advice is "buy a Mac, though I run GNU/Linux myself".  The
legacy MS Windows platform is dead, dead, dead from a security PoV.



1.  There *are* virus scanners for GNU/Linux.  These are almost
    exclusivley aimed at systems which are providing services, generally
    email or fileserver, for legacy MS Windows systems.

2.  ...with a considerable following along GNU/Linux veterans as well.

Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Many hands make light work.

svlug mailing list
svlug at lists.svlug.org

----- End forwarded message -----

More information about the conspire mailing list