Can switching to Linux protect your online identity?
Summary: My ZDNet blogging colleague Jason Perlow has switched his systems over to Linux after his Facebook account was compromised. Can plucky "Tux the Penguin" protect Perlow's digital kingdom? Sadly, I don't think so ...
My ZDNet blogging colleague Jason Perlow has switched his systems over to Linux after his Facebook account was compromised. Can plucky "Tux the Penguin" protect Perlow's digital kingdom? Sadly, I don't think so ...
Now, if someone feels that switching to Linux makes them feel safer, then that's as good a starting point as any. When it comes to operating systems I'm an agnostic, and see the OS as a platform or a tool, as opposed to a religion or a sports team I have to get behind. With more and more people making the shift to the cloud, the OS that you use no longer matters, it's the browser that matters.
But the question here is whether Mr Perlow is protected from future breaches of his digital fortress now he's switched to Linux. based on the information he's provided so far, I don't think that he is.
Let's take a look at the evidence to support my case.
First, even after a thorough examination, there's no sign of malware on any of his systems. This might seem like a trivial point, but whenever someone blames malware for anything (and it's common for people to blame malware for anything and everything that goes wrong with their computers), if you can't find a shred of evidence to support the claim, then you might as well blame leprechauns, fairies or Santa for your troubles. Throwing out the notion that it was a "bizarre Facebook virus" just doesn't make sense.
Without evidence, blaming "malware" is a total cop-out.
Was Perlow's password compromised? Well, he claims to have "used a strong mixed alphanumeric password," but this doesn't tell us much. Brute-forcing even relatively strong passwords, which while not trivial, is not a tough thing to engage in when you have a botnet as your disposal. Even with a strong password, the hacker has the twin advantage of time and luck on their side. This is precisely why we use strong passwords, but still use different passwords for different places.
But it doesn't end there. Even with the best passwords in the world, there are still vulnerabilities that you can do very little about. XSS, XSRF and SQL injection are three possibilities. These are attacks that originate online and leave no local trace. All you need to do is visit a compromised Facebook account (doesn't have to be a Facebook account, but if you're targeting Facebook users, it's a good place to start), and the flaws in the website itself does the rest. This sort of thing is damn hard to defend against - you have too be vigilant, and change your password at the first sign of trouble.
There the other nagging issue of why other online accounts belonging to Perlow weren't compromised. I'm thinking things like Twitter and so on. If he suspects a malware breach, then I hope he's changed every single password he's ever used on those systems.
Oh, and as Columbo would say ... "One more thing ..."
Something else Perlow said caught my attention:
It’s certainly possible that the compromise occurred on another system that I had used to log into FaceBook, such on a friend’s or a family member’s computer that got infected which had my login credentials cached.
Well there's your (likely) problem! He then goes on to say:
It’s unlikely since I always run something like CCleaner to wipe out all traces before leaving a PC that I had used, but I won’t rule it out.
The problem here is that "using something like CCleaner" might wipe all traces of your browsing off the PC, but if that system was already compromised, then all that prevention is for nothing.
Also, you can have all the security measures in place, but if you then go off and trust a third-party system with your credentials, then that side-steps all the measures you're put in place to protect yourself.
I don't think there's anything wrong with the steps that Perlow's taken to protect his digital kingdom, but personally I think that he's missed the real issue here. What's he going to do if his account is compromised again ... switch to an abacus? After all, Secunia doesn't list any vulnerabilities for that platform ...
Note: Back in the Fall of 2009 I wrote a piece called "Time to ditch Windows for online banking and shopping." Some of you seem to be wondering if my position has changed since then. The answer is "no." What I'm saying here is that if you are making a shift then the reasons need to be clear. In this case, I don't think that switching to Linux is the answer since I don't believe that the OS has played any factor in the leakage of the information. Without discovering malware on the systems in question, my money is on another system being compromised. The moral of the story is be careful what third-party system you use - and if you do need to use an untrusted system, using a Linux bootable ISO might help ;)
Maybe Perlow would be better switching his friends and family to Linux?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Jason Perlow is wise beyond his years
Making this choice and showing the way is good.
Jason is making 'security' a top priority over any other interests, unlike yourself.
Folks,
It's not funny any more. 1.5M FB accounts owned by a Russian criminal network? This is very serious.
There's a road side billboard for you if there ever was one.
Take note of what Jason has done.
Also take note that very recently a <a href="http://blogs.computerworld.com/15815/can_ubuntu_save_online_banking">CIO for a Florida bank</a> has opted to provide its customers an Ubuntu CD for doing their on-line Internet banking transactions.
You can keep your Windows core apps in a VirtualBox, or KVM where you can get to them on demand, but make Lucid Lynx your base system for connecting to the Internet.
If you haven't already done so, don't forget to enable your Linux Security Module AppArmor Firefox profile which puts your Internet session in a protected sandbox with:
[b]$sudo aa-enforce /etc/apparmor.d/usr.bin.firefox[/b]
And, be sure to install the FF <a href="https://addons.mozilla.org/en-US/firefox/addon/722">Noscript</a> plugin.
Ubuntu Linux: The safe choice
I stake my reputation on it.
Dietrich T. Schmitz
Linux Advocate
The dangers of over-confidence
Just because you use Linux and Firefox does not
make you invincible. Safe practice (such as
strong passwords and being careful what you
click on) still apply.
I agree that currently the Linux platform is
safer than the Windows platform and that
Firefox has some strong protection, but social
engineering and unpatched vulnerabilities are
still an issue to contend with no matter what
platform you use.
How many people are still running Firefox 3.0
or, god forbid, Firefox 2.0 in the mistaken
assumption that just because it's Firefox they
are safe? And I bet there are quite a few
unpatched Gutsy Gibbons in the wild as well.
The point of AppArmor: protection against unpatched vulnerabilities
That's its purpose and that's why it's in every copy of Ubuntu.
It's not a matter of being overconfident--it's a matter of security 'best practices' and having Linux Security Module AppArmor running is proactive and ensures that any Zero-Day exploit will be stopped.
Windows sysadmins, stop chasing windmills.
Still missing the point....
On Ubuntu AppArmor comes pre-configured for common apps like Firefox.
AppArmor isn't meant for securing communications from one computer to..
Actually, I think it's safe to say it really IS the safer platform.
in more people [i]fixing[/i] it.
Disagree
in a barrel'."
You're just re-iterating the crap that this
author's article warns against - that this is a
malware issue, and can be fixed at the OS level.
[b]We don't know that.[/b]
Modes of infection on Windows vs Linux differ
That alone makes writing exploits that work on Linux 'a challenge'.
One recalls the April 1 Conficker fiasco only to be reminded of just how easy it can be to become infected on Windows by having made an innocent 'drive-by'.
Millions of machines are still infected by it.
The point?
No one questions that there are serious issues with respect to Windows security.
Jason made a determined, reasoned decision to put Windows on 'probation' indefinitely.
By doing so, he does not sacrifice use of W7 Apps as Virtual Box installation makes those apps 'on demand' and transparent.
What he is doing is making a switch to how his base operating system interfaces the Internet.
Linux is sufficiently different (not invulnerable) and protected by AA from Zero-Day exploits that it will be a safe choice for venturing on the Internet FOR A LONG TIME TO COME.
Stay in bounds of the repo system and pick the sites you go to carefully--that goes for all O/S platforms.
False sense of security
I would warn against having a false sense of
security because of it.
"One recalls the April 1 Conficker fiasco only
to be reminded of just how easy it can be to
become infected on Windows by having made an
innocent 'drive-by'."
By using a hole in Windows that was patched a
long time before it was on everybody's radar -
the issue was that people weren't updating. Not
only that, but this is in an OS that runs
updates automatically, so they had to be
disabling the service or ignoring the updates.
"No one questions that there are serious issues
with respect to Windows security."
I'd question that there are serious issues with
Windows 7 security. The default settings are
far better than they used to be, and the OS
updates automatically, like any OS should.
The evidence of what really happened is still
sketchy. As far as I can tell, he wasn't
compromised on his own system. So I still stand
by the idea that Windows (especially Vista or
7) can be made secure.
so they had to be disabling the service or ignoring the updates
Keeping your windows pc up to date still requires a fair amount of manual intervention and needs technical knowledge. That's the problem.
This occurs VERY VERY infrequently
Most users need to do nothing to automatically receieve the latest patches and updates direct from Microsoft.
The sad fact of the matter is that the VAST majority of PC's infected with conficker had, in FACT, turned off automatic updates and Vista machines that had been infected had usually ALSO turned-off UAC - usually on the advice of so-called "Experts" who should know better.
False on Windows 7.
again but will be listed as a failure in the
log file. This is available to view but only if
you drill down within control panel, something
non-techies will not do."
In my experience, Windows 7 will keep failed
updates available for install in the same place
they were available before they failed. I have
not experienced Windows 7 hiding a failed
update.
Besides, failed updates are rare, and usually
minor - the failed updates I've seen are not
the big security updates.
my example
So in this example, it needed technical knowledge and manual intervention, including help from technical support to keep my machine up to date. Hardly automatic!
But perhaps this is all better in Win 7...
$sudo aa-enforce
All these tasks are well beyond the skill of an average user. I'm afraid its an example of how linux remains innaccessible to ordinary people.
No worse or more confusing than a UAC prompt. And it's a one-time change
Nonsense
That wasn't my message. FF profile is present. It is simple to enable.
you are talking nonsense
so does gksu,What is your point?AppArmor and UAC both are different.UAC's equivalent is gksu on the GUI and sudo on the CLI
Non-Techi
https://help.ubuntu.com/community/AppArmor
Copy and pasting a command to a terminal is not beyond the average user's skills.