[conspire] (forw) Re: [svlug] a distribution 4 incompetents
rick at linuxmafia.com
Wed Jan 12 16:40:53 PST 2005
My friend Karsten had a reply to Bruce, on _other_ aspects of Bruce's
concerns, and I thought it'd be of interest here, too.
----- Forwarded message from "Karsten M. Self" <kmself at ix.netcom.com> -----
Date: Wed, 12 Jan 2005 15:43:06 -0800
From: "Karsten M. Self" <kmself at ix.netcom.com>
To: svlug at lists.svlug.org
Subject: Re: [svlug] a distribution 4 incompetents
I'm not sure if you're saying you've _found_ the distro for
incompetents, or are looking for same...
on Mon, Jan 10, 2005 at 11:46:41PM -0800, bruce coston (jane_ikari at yahoo.com) wrote:
> I just put the new pro-mepis 2005.04? beta on a friends box.
Haven't tried it, but hear good things.
> I believe the firewall is on by default, i got him to not run the
> default apache server. He eventually remembered the root password so i
> didn't have to reinstall again and again like when i got Kanotix
> working for him.
Root password recovery is _not_ something which requires a reinstall.
...at boot prompt, remount root FS writeable, issue 'passwd' command,
sync, remount root FS read-only, and reboot.
For a more complete description specific to your bootloader, Google
> The firewall bit is important since he ditched all the anti-malware
> programs from his windows O.S.
You're apparently suggesting that GNU/Linux would be served by the
legacy MS Windows anti-malware programs. In general, not.
GNU/Linux isn't vulnerable to the vast majority of legacy MS Windows
exploits (some browser vulnerabilities excepted). Viruses are
effectively Not A Problem. There are utilities to check for rootkits
(not exploits themselves, but tools to leverage an existing exploit).
GNU/Linux security is largely a measure of:
- Keeping software up-to-date. All major distros offer tools to
largely automate this process.
- Minimizing network services. Don't offer services you don't need.
- Firewalling unneeded services. Some argue this is unnecessary. I
consider it a belt-and-suspenders approach. If you're not offering
services, you should block all low-numbered ports (< 1024),
particularly for non-local network segments. The typical exceptions
are SSH and possibly HTTP (ports 22 & 80).
- Monitoring for unusual activity. Tools such as chkrootkit, swatch,
and snort can be used for this.
While commercial router/firewalls are of somewhat limited utility (and
require their own maintenance w/ firmware updates, etc.), your friend
might also benefit from same. Cost is now low (< $100).
> since one of them seemed to prevent him from browsing the internet,
> probably because his older windows box has an xp type infection that
> does nothing to him so his malware cleaners don't fix it but probably
> zone firewall detected it and prevented him from spreading it by
> blocking his net access with 0 explanations.
There's an essay I need to write on ease-of-use at some point....
> I asked him to install the different anit-malware stuff I recently
> switched to for that reason.
Could you clarify why you're apparently trying to install legacy MS
Windows-based anti-malware on a GNU/Linux system?
> The question is does a distribution exist that works better for a guy
> like this given that he won't spend $$?
The general buzz I've heard on Mepis is good. Ubuntu is another
newbie-oriented distro which seems to be both trivial to configure
and security concious.
There are security advantages to running a bootable distro (Mepis,
Knoppix, etc.) with only user state on the HD. Upgrading is simply a
matter of burning a new disk. However performance is markedly slower
than a native install. I'd consider this a moderately severe solution.
> Since this guy is actually posessed of average intelligence, is there
> any way to avoid the >50% malware/spam/pollution content of internet
> traffic other than forced patching at the ISP level?
See above. GNU/Linux is largely immune to the problems plaguing legacy
MS Windows systems.
This *doesn't* mean you can't intentionally shoot yourself in the foot.
If your friend installs malware intentionally, he's hosed. However
there are a number of reasons people typically don't do this. I've
written an essay touching on this following a New York Times article I
was interviewed for:
If you _don't_ provide your friend root access, automate security
updates, and check the system yourself periodically (say,
weekly-monthly), he should do OK.
Additionally, few ISPs take any effective security countermeasures.
There's no margin in it.
> My finite understanding of game theory says that without this
> draconian enforcement of social policy, kind of like what makes debian
> work as well as it does, chaos is guaranteed given the relevant costs
> for misbehavior: 0:
See the essay above. The section titled "Some Cultural Observations" in
particular addresses *why* the situation in the legacy MS Windows world
is as bad as it is, and why it's very unlikely to improve.
It also addresses why the GNU/Linux model, and Debian specifically,
works so well.
> ...therefore I must wonder why we don't have legislation enforcing
> this. Is it companies that wanna get rich selling anti-malware and
> don't care about the consequences? Honestly, at 50% we need to declare
> the emergency and act accordingly.
Well, there _are_ laws, and the overwhelming evidence is that they don't
work. IMVAO, cultural prerogatives trump legislation.
> Average people seem TERRIFYINGLY stupid about net security, they won't
> spend the money or even just get a free download when they need to!
My current advice is "buy a Mac, though I run GNU/Linux myself". The
legacy MS Windows platform is dead, dead, dead from a security PoV.
1. There *are* virus scanners for GNU/Linux. These are almost
exclusivley aimed at systems which are providing services, generally
email or fileserver, for legacy MS Windows systems.
2. ...with a considerable following along GNU/Linux veterans as well.
Karsten M. Self <kmself at ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Many hands make light work.
svlug mailing list
svlug at lists.svlug.org
----- End forwarded message -----
More information about the conspire